First SELinux impressions

First SELinux impressions

The problem is that it's too hard to manage those security attributes. A much better configuration system could hide most of that complexity. Similar to how a desktop like GNOME or KDE hides much of the underlying UNIX complexity. If all I want to do is say that /usr/sbin/apache can't access anything outside of /svr/www, I should be able to say that and have it work. Yes, that would mean a new configuration file format and a much more intelligent "compiler" than m4, but that's what is needed. Imagine being able to open up /etc/security/access.d/apache and putting in:

binary /usr/sbin/apache {
path / deny all
path /etc/apache allow read
path /svr/www/html allow read
path /svr/www/cgi-bin allow read
path /svr/www/tmp allow read,write
}
binary /usr/sbin/apacheconf {
path / deny all
path /etc/apache allow read,write
}

That would generate automatically any domains/types needed, tag files, etc. Very simple configuration input, very easy to read, easy to understand, etc. If you need more than "read" and "write" support, just say so. "read" may well just be a meta-privilege that is an alias for several lower-level capabilities.