[CentOS] SELinux - way of the future or good idea but !!!

Daniel J Walsh dwalsh at redhat.com
Tue Dec 7 17:53:16 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/07/2010 12:46 PM, m.roth at 5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 12/07/2010 11:59 AM, Benjamin Franz wrote:
>>> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>>>>
>>>> Yes SELinux and all MAC systems require that if the administrator puts
>>>> files in non default directories, then they have to have to be told.
>>>> In the case of SELinux, this involves correcting the labeling.  DAC has
> <snip>
>>>> I wrote this paper to try to explain what SELinux tends to complain
>>>> about.
>>>>
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
>>>
>>> The fact remains that as the old saw goes: Make it hard enough to do
>>> something and people will quit doing it.
>>>
>>> SELinux remains *hard* for most non-default users. As the lead SE
> <snip>
>>> I have 15 years experience running Linux servers. And I find SELinux
> 
> Ditto, and that's also Solaris and Tru-64.
> 
>>> damn annoying. I can work with it at need - but I'm generally pissed off
>>> when I find 'yet another SELinux issue'. My boss, who is the fallback
>>> admin here, would find it utterly opaque. He would have no idea where to
>>> even start looking for an SELinux issue.
> 
> Yup.
> <snip>
>> I am not arguing that SELinux is easy, I am arguing that it is not
>> rocket science.  I have worked for a several years to try to make
> 
> If rocket science means very difficult and obscure, yes, it is.
> 
>> SELinux easier to use, while making it more comprehensive and adding
>> tools like svirt and sandbox to give administrators more tools to secure
>> their systems.  We have fixed thousands of bugs in policy and
>> applications that were acting bad, so I have seen the problems people
>> have had with SELinux, I am encouraged  by the number of people who have
>> worked with SELinux and continue to leave SELinux enabled by default.
>> But I understand why SELinux is disabled on some machines.
> <snip>
> What have you done for folks who have third-party software, either F/OSS
> or COTS, or in-house developed stuff, *none* of which was written with
> selinux in mind, and is *not* going to be rewritten any time soon? You've
> seen me on the selinux list, and I have yet to figure out why I see the
> complaints about contexts, since they *appear* to be temp files, and I
> don't know where they're located, or where the CGI scripts are that create
> them are, and *all* of it's got the added complexity that some of that are
> on NFS-mounted directories.
> 
>          mark
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

We have attempted to work with them, setup default labeling for them
when we know about the problems, embarrass them when they say you need
to disable SELInux.  Red Hat is working on new developer tools to help
third party developers work on RHEL systems.   I am not sure what else I
can do to get them to work with the security systems in place on RHEL.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+dIsACgkQrlYvE4MpobPOYgCfda4PZuY809Hatmg3EMMRwAYk
dJoAoNcTrfM7izAnsGZIf/INEIzSQCk9
=Y6L+
-----END PGP SIGNATURE-----



More information about the CentOS mailing list