Distributors ponder a systemd change
Distributors ponder a systemd change
Posted Jun 8, 2016 16:41 UTC (Wed) by rahulsundaram (subscriber, #21946)In reply to: Distributors ponder a systemd change by jberkus
Parent article: Distributors ponder a systemd change
This is definitely not true. You can find plenty of examples even in the comments thread of programs that don't exit cleanly. I do think, distributions are doing the right thing in disabling this feature for now, it is definitely not a desktop only problem.
>Second, if it was really a security issue, it belongs in SELinux
That might be true if SELinux was more widely adopted. Unfortunately, that isn't the case.
Posted Jun 8, 2016 17:05 UTC (Wed)
by jberkus (guest, #55561)
[Link] (1 responses)
> That might be true if SELinux was more widely adopted. Unfortunately, that isn't the case.
That's a "but the light's better over here" argument. Poettering is pushing this because it's "the right thing to do". But the *right* thing to do is for it to be in SELinux, where there can be actual admin policies around process-killing instead of just an on/off switch. So we should either do the expedient thing to do (which is to leave the defaults where they are) or the right thing to do (which is to put this in SELinux with hooks in systemd to support it). This change is neither right, nor expedient.
Posted Jun 8, 2016 17:12 UTC (Wed)
by rahulsundaram (subscriber, #21946)
[Link]
> But the *right* thing to do is for it to be in SELinux
I don't see why SELinux is the obviously right place to do it.
> where there can be actual admin policies around process-killing instead of just an on/off switch
It isn't just a switch in systemd. You can have admin policies in polkit.
Distributors ponder a systemd change
Distributors ponder a systemd change