[CentOS] SELinux - way of the future or good idea but !!!

Daniel J Walsh dwalsh at redhat.com
Tue Dec 7 17:31:55 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/07/2010 11:59 AM, Benjamin Franz wrote:
> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>>
>> Yes SELinux and all MAC systems require that if the administrator puts
>> files in non default directories, then they have to have to be told.  In
>> the case of SELinux, this involves correcting the labeling.  DAC has
>> similar problems, in that you need to make sure the permission flags and
>> ownership is correct.  Of course admins have been dealing with DAC for
>> years so they understand it, and the number of UID/Permision
>> combinations is more limited then the amounts of labels that SELinux
>> presents.
>>
>> I wrote this paper to try to explain what SELinux tends to complain about.
>>
>> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
> 
> The fact remains that as the old saw goes: Make it hard enough to do 
> something and people will quit doing it.
> 
> SELinux remains *hard* for most non-default users. As the lead SE 
> developer, things you find utterly routine and only slightly annoying 
> are major roadblocks to many other people. You aren't the average user. 
> You aren't even close to one. A *sophisticated* user will see the 
> suggestion given by sealeart to run chcon, follow it, *and have no idea 
> that a system relabel can screw it up again*. sealert doesn't even 
> mention the issue! It is as if the person who wrote the sealert messages 
> never considered that people would like things fixed permanently rather 
> than just until the next SELinux update relabels the system.
> 
> I have 15 years experience running Linux servers. And I find SELinux 
> damn annoying. I can work with it at need - but I'm generally pissed off 
> when I find 'yet another SELinux issue'. My boss, who is the fallback 
> admin here, would find it utterly opaque. He would have no idea where to 
> even start looking for an SELinux issue.
> 
> The issue is similar to that of using passwords of more than 10 
> characters composed of random mixed-case alphanumeric characters 
> (ideally with special characters mixed in). Yes - they are provably more 
> secure in a technical sense than virtually any easily remembered system. 
> However *real people* have to use the passwords. And they will put the 
> damn things on taped notes on the bottom of their laptop if you make 
> them too hard (not conjectural - I've caught people here doing exactly 
> that).
> 
> BTW: You have a typographical error on your semanage example. You don't 
> have a closing ' character on the file_spec.
> 

I am not arguing that SELinux is easy, I am arguing that it is not
rocket science.  I have worked for a several years to try to make
SELinux easier to use, while making it more comprehensive and adding
tools like svirt and sandbox to give administrators more tools to secure
their systems.  We have fixed thousands of bugs in policy and
applications that were acting bad, so I have seen the problems people
have had with SELinux, I am encouraged  by the number of people who have
worked with SELinux and continue to leave SELinux enabled by default.
But I understand why SELinux is disabled on some machines.

RHEL6 SELinux usability compared to RHEL4 is light years better.  But
setting up security on a computer system is hard.  Then there is always
the battle between greater security versus decrease in usability as you
illustrate in your password example.

http://danwalsh.livejournal.com/2008/10/22/

We have a new version of setroubleshoot which will hopefully be far
easier to understand and will recommend the proper commands to setup
labeling versus using chcon.  We will hopefully be back porting this to
RHEl6.

Having people work with us to fix issues by reporting bugs, submitting
patches and any other help is greatly appreciated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+b4sACgkQrlYvE4MpobMHGACfdfqoA25Hhyu7JnqkOTCpvuUN
URkAoOe5Zx8zvVh8wnU0a+GOghbRMbZu
=Ntj7
-----END PGP SIGNATURE-----



More information about the CentOS mailing list