[bubblethink]

>There is no reason that these issues can't be ironed out going forward.

That's true in principle, but selinux still doesn't see that much adoption outside of the distro configured policies for typical server usecases. A lot of desktop apps run unconfined. So I think this is where openbsd's approach to stuff like this is more practical. They iterate and wait before rolling out features like pledge or unveil so that they know that 1) It can be made to work with at least 50 apps (read this is one of their slide decks) 2) They can tackle a complex enough application like chromium. Flatpak, selinux or any of the other security mechanisms are completely ineffective if users or developers are largely ignoring them.

[cyphar]

> selinux or any of the other security mechanisms are completely ineffective if users or developers are largely ignoring them

SELinux works by default on Fedora, and even has a nice GUI popup that explains to you what happened when an SELinux policy blocked an action (so that you can reconfigure it). It's pretty neat, and is massive improvement to SELinux of old -- I would recommend trying it if you haven't recently.

[bubblethink]

Yes, I think my point still stands that a large number of desktop apps either have lax policies or run unconfined. I don't know if things have changed that much recently. Confinement is opposite of ease of use. So Fedora/RHEL have selinux in enforcing mode, but the policies are still more effective for servers. I don't know how far they go with the policies for desktop.

[Conan_Kudo]

It'd be nice to see this stuff in (open)SUSE too. wink wink