My problem with SELinux is that it is far, far too complex to configure.
You could in theory replace all of the existing SELinux policy generation code with your own. The system is extremely flexible and I don't believe the kernel cares at all if you use the provided types and domains. If you don't want such a granular system, you could make your own policy generator that had very simple input expressions. This would admittedly be a lot of work up-front.
The default ruleset already does some of this in the form of m4 macros, so that you don't have to write out every little rule by hand. I know of projects that have used much more complex macros to abstract away more of the details.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds