Dne 23. 02. 21 v 23:00 Thorsten Kukuk napsal(a):
We have everything which is required to install and enable it, we have meanwhile QA for it, and for MicroOS it's now even the default and works fine as Container Host.
True, ~@stitny$ getenforce Permissive ~@stitny$ (that's my main workstation), but I know perfectly well (from my experience with SELinux at Red Hat) that for the real SELinux use we need at least one full-time employee who doesn't do anything else than fixes SELinux policy to make it work. Then we can get to that state like Fedora, where well over two thirds of installations have SELinux in the enforcing state, but without that it feels like bungee-jumping without the cord.
For everything else, as already written some time ago: we need volunteers who test their typical workload, report bugs and even better, help to debug and adjust the policy. There will not be magically an armee of people fixing everything for you.
We don't an army, but somebody who would respond in some reasonable response time to my bugs (that's absolutely zero criticism to you or Johannes, but I am afraid neither of you have SELinux as their only responsibility, right?).
At least on MicroOS, the state of SELinux is much better than the one of AppArmor, where we even don't have profiles for most services. The last time I checked, we had one service without SELinux profile on MicroOS, while with AppArmor, only one service was protected...
Nothing in any of my messages should indicate that I approve of AppArmor, or that I think we actually support it. Best, Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 I disapprove of what you say, but I will defend to the death your right to say it. -- mistakenly attributed to Voltaire