[CentOS] SELinux - way of the future or good idea but !!!

m.roth at 5-cent.us m.roth at 5-cent.us
Mon Nov 29 10:31:33 EST 2010


Adam Tauno Williams wrote:
> On Sun, 2010-11-28 at 23:42 +0000, Marko Vojinovic wrote:
>> On Sunday 28 November 2010 22:40:41 brett mm wrote:
>> > > This is where, as a sysadmin, you need to invest just a little time
>> and effort learning the system. Honestly, the vast majority of issues
<snip>
>> > In reality, I am not at all sure that a quantum leap in complexity
>> > adds to security at all. Any proper use of old-school group
>> > permissions can give as finely-grained a security policy as you would
>> > like.
>> No, you're wrong --- SELinux exists precisely because the old-school
>> permissions system is *not* fine-grained enough. That's why SELinux was
>> actually invented, to introduce a more fine-grained control over access.
>
No, selinux is a *royal* pain. It may be good for a production box that
has systems tested to within an inch of their lives, and you go through an
approval process... but for anything else, most folks put it into
permissive mode. Certainly, we do, given that there are some AVC's I've
been trying to figure out for *months*, and still don't know how to fix,
or where the files are that it's complaining about; or want to allow this,
but not everything, and have no clue how to allow *only* that, etc.
<snip>
> Even if it is *possible*, the traditional UNIX permissions are a serious
> *PAIN*.  If you want two users to have rw- to a file you...  create a
> group of two users???  You end up with a zillion groups - which is
> pointless and unmaintainable.  Thank goodness for ACL support and

You mean like the std. upstream practice of creating, by default, a new
group for EVERY BLOODY USER, and not, by default, dumping them into, say,
users?
<snip>
          mark



More information about the CentOS mailing list