[CentOS] SELinux - way of the future or good idea but !!!
Adam Tauno Williams
awilliam at whitemice.org
Mon Nov 29 13:35:26 UTC 2010
On Sun, 2010-11-28 at 23:42 +0000, Marko Vojinovic wrote:
> On Sunday 28 November 2010 22:40:41 brett mm wrote:
> > > This is where, as a sysadmin, you need to invest just a little time and
> > > effort learning the system. Honestly, the vast majority of issues are
> > > trivial to solve if you just spend a few hours reading the docs/guides,
> > > and even if you really can't be bothered there are kind folks on this
> > > list (and others) that will likely solve your issues for you. How is
> > > that not worth the extra security SELinux affords?
> > In reality, I am not at all sure that a quantum leap in complexity
> > adds to security at all. Any proper use of old-school group
> > permissions can give as finely-grained a security policy as you would
> > like.
> No, you're wrong --- SELinux exists precisely because the old-school
> permissions system is *not* fine-grained enough. That's why SELinux was
> actually invented, to introduce a more fine-grained control over access.
+1
> I am lazy to search now, but I remember seeing a couple of typical counter-
> examples, where usual permissions system is completely incapable of
> implementing the level of access control that SELinux gives you.
Even if it is *possible*, the traditional UNIX permissions are a serious
*PAIN*. If you want two users to have rw- to a file you... create a
group of two users??? You end up with a zillion groups - which is
pointless and unmaintainable. Thank goodness for ACL support and
setfacl/getfacl. While that isn't SELinux the principal is the same -
the tools should rise to match the practice, not the practice be mashed
into the functionality of inferior tools.
I was a disable-selinux guy because it seemed like a black box. But I
saw ke4qqq present at Ohio LINUX on SELinux and now I'm a believer; it
doesn't take much effort and SELinux really is understandable.
<http://www.whitemiceconsulting.com/2010/09/ohio-linuxfest-2010.html>
SELinux can even generate the required policies for you! It is an
impressively well thought out tool and as indispensable as iptables.
--
Adam Tauno Williams <awilliam at whitemice.org> LPIC-1, Novell CLA
<http://www.whitemiceconsulting.com>
OpenGroupware, Cyrus IMAPd, Postfix, OpenLDAP, Samba
More information about the CentOS
mailing list