[CentOS] SELinux - way of the future or good idea but !!!
Paul Heinlein
heinlein at madboa.com
Tue Dec 7 18:34:39 UTC 2010
On Tue, 7 Dec 2010, m.roth at 5-cent.us wrote:
>> I am not arguing that SELinux is easy, I am arguing that it is not
>> rocket science. I have worked for a several years to try to make
>
> If rocket science means very difficult and obscure, yes, it is.
I've got to cry "foul" here. "Difficult and obscure" can be applied to
just about any *nix command-line utility (or Windows registry hack, or
Mac OpenDirectory tweak, ...).
I don't consider SELinux any more difficult to understand and manage
than other Linux security-related controls like iptables or extended
ACLs. That isn't to say that my mother-in-law would take to it, but
I'd expect any sysadmin on my IT staff to be able to learn it.
In that sense, it's certainly not rocket science.
Daniel's other point concerns increased usability.
I've been using SELinux for a while now -- not always successfully,
and I certainly do NOT consider myself an expert -- and it's quite
apparent to me that the folks at Red Hat have unquestionably made it
easier to use over that time.
It's apparently quite difficult to write policies for some
applications (*cough* Nagios) that want to do a ton of things -- and
third-party or in-house apps have a different set of challenges -- but
I can't imagine anyone claiming that there hasn't been marked progress
in SELinux usability over the CentOS 4 -> 5 life cycles.
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
More information about the CentOS
mailing list