On Wed, 2008-10-29 at 16:52 -0400, Colin Walters wrote:
On Wed, Oct 29, 2008 at 4:39 PM, Steve Grubb
<sgrubb(a)redhat.com> wrote:
> No this is about PolicyKit being another MAC system that needs
configuring.
Of course it would be ideal if there were One True MAC system, but
AFAIK the story on SELinux is still that the system must be secure
without it, and other vendors that we care about from the desktop
perspective (personally I just care about Ubuntu and OpenSolaris)
haven't yet finished integrating it.
Of course just so it's been said...setting capabilities on binaries has
little to do (or should have *very* little to do) with SELinux. Ever :)
Personally I think switching to fully POSIX file caps is a wonderful
idea for sometime around 2010 or a bit later, but it's not practical for
regular system utilities that might be sitting on older filesystems to
do this today. Root NFS will break, many custom spins, just a lot of
stuff is going to be very unhappy if we start doing this.
Jon.