On Sun, 2010-11-28 at 23:42 +0000, Marko Vojinovic wrote:
On Sunday 28 November 2010 22:40:41 brett mm wrote:
This is where, as a sysadmin, you need to invest just a little time and effort learning the system. Honestly, the vast majority of issues are trivial to solve if you just spend a few hours reading the docs/guides, and even if you really can't be bothered there are kind folks on this list (and others) that will likely solve your issues for you. How is that not worth the extra security SELinux affords?
In reality, I am not at all sure that a quantum leap in complexity adds to security at all. Any proper use of old-school group permissions can give as finely-grained a security policy as you would like.
No, you're wrong --- SELinux exists precisely because the old-school permissions system is *not* fine-grained enough. That's why SELinux was actually invented, to introduce a more fine-grained control over access.
+1
I am lazy to search now, but I remember seeing a couple of typical counter- examples, where usual permissions system is completely incapable of implementing the level of access control that SELinux gives you.
Even if it is *possible*, the traditional UNIX permissions are a serious *PAIN*. If you want two users to have rw- to a file you... create a group of two users??? You end up with a zillion groups - which is pointless and unmaintainable. Thank goodness for ACL support and setfacl/getfacl. While that isn't SELinux the principal is the same - the tools should rise to match the practice, not the practice be mashed into the functionality of inferior tools.
I was a disable-selinux guy because it seemed like a black box. But I saw ke4qqq present at Ohio LINUX on SELinux and now I'm a believer; it doesn't take much effort and SELinux really is understandable. http://www.whitemiceconsulting.com/2010/09/ohio-linuxfest-2010.html SELinux can even generate the required policies for you! It is an impressively well thought out tool and as indispensable as iptables.