[CentOS] SELinux - way of the future or good idea but !!!

Tue Nov 30 16:27:52 UTC 2010
Lamar Owen <lowen at pari.edu>

On Monday, November 29, 2010 09:35:44 pm Les Mikesell wrote:
> Not so much a problem - I'm just saying that you should do the simple things 
> that have always worked first, then add SELinux if you want.

First, I hope everyone else is enjoying the thread as much as I; I always like to see divergent opinions, especially by those who in other venues have proven their technical mettle, of which this list has plenty.  And, while I am more than aware that this is not CentOS-specific, it is directly related to a default CentOS installation, that is, SELinux in enforcing mode with the targeted policy (last I installed C5.5 that was the case).

Now, I want to ask, given the two alternatives:
1.) Set up another uid to run PDF, browser, flash, etc and either switch between them or use some display indirection/ forwarding complexity to not have to switch, or fire up a VMware resoure hog (I do use VMware; firing up a whole 'nother OS in a VM reduces the performance of host apps, no matter how I tune them) and use Unity to make it look seamless....

or

2.) Be able to tell my os 'PDF reader can only do X to these files, and no others.  Browser cannot read ~/Documents, and can only write in ~/.mozilla.  Flash plugin cannot write anywhere without specific user permission and can only read those files it requires to work.'

As to the trust issue, well, I trust the SELinux code as much as any other code in the Linux kernel, including the uid:gid permissions code.  I know in all cases that the code is getting well-qualified eyes looking at it, and, should I want to train myself to look at it in that detail, I can.

There are sever-side equivalent examples, but I am purposely playing the desktop advocate here, so I'll leave those as a reader exercise.