On Wed, Jan 11, 2012 at 01:49:29PM -0600, Les Mikesell wrote:
On Wed, Jan 11, 2012 at 1:23 PM, Lamar Owen lowen@pari.edu wrote:
SELinux does not 'go out of its way' to 'break' anything; rather, SELinux enforces a deny by default 'need to access' policy.
Yes, the breakage came from having someone who didn't understand the needs define that policy.
I think part of the problem is that Linux+SELinux is a _different platform_ to Linux without SELinux.
On any Unix or Linux system I can install apache, configure it so that DocumentRoot is /mywebtree/htdocs, CGIs are in /mywebtree/cgi. The CGI can write to /myapp/tmpdir and so on. And it will work the same way on all of those platforms. On Linux+SELinux, however, you need to do additional work. The platform needs to be configured to allow this to work.
Developers need to target Linux+SELinux as if it was a new platform to be supported.
But what about the gazillion of apps that don't support that platform? Either you disable SELinux or you have a large support overhead (initial onboarding of app, verification that updates to app still work, verification that OS updates don't break app, etc etc).
Is the additional security worth it?
Maybe. Maybe not. That's up to each individual to determine.