Quoting Mike Hearn <mike@...333...>:
Yes, that is what I was told before. Centralising policy lets you perform a better analysis of it, is that right?
I'm not really convinced ... you could apply that logic to any facet of software development. By all means have central groupings of experts to go for *review* of policy, but actually writing it and maintaining it downstream seems like a losing proposition (it won't always reflect the latest version of the software correctly).
I think the difference is that at this point in time, designing and writing selinux policies is new to everybody. This is bleeding-edge stuff, where best practices and broadly applicable conventions are only beginning to evolve. Most upstream projects aren't going to have people with the requisite background.
Under those circumstances I think it does make some sense to concentrate the knowledge in one place, where everyone can easily share experience.
In the long-term, yes, I think it would eventually make sense to push the task to upstream maintainers, at least in large part. But the knowledge infrastructure just isn't there yet.
For a historical parallel, look at the way packing for various distribtions has evolved. These days most projects provide their own .spec files and debian/ directories (which distributions often use as a basis, even if they don't use them directly), but it was not always so...
-mental