Lamar Owen wrote:
On Monday, November 29, 2010 09:35:44 pm Les Mikesell wrote:
Not so much a problem - I'm just saying that you should do the simple things that have always worked first, then add SELinux if you want.
<snip>
Now, I want to ask, given the two alternatives: 1.) Set up another uid to run PDF, browser, flash, etc and either switch between them or use some display indirection/ forwarding complexity to not have to switch, or fire up a VMware resoure hog (I do use VMware; firing up a whole 'nother OS in a VM reduces the performance of host apps, no matter how I tune them) and use Unity to make it look seamless....
or
2.) Be able to tell my os 'PDF reader can only do X to these files, and no others. Browser cannot read ~/Documents, and can only write in ~/.mozilla. Flash plugin cannot write anywhere without specific user permission and can only read those files it requires to work.'
Gag! And suppose you d/l a pdf, or an html of a manual, or the company holiday party flyer, or the meeting annoucement - the way you describe it, above, I can't look at them. <snip> As I said, the whole arcane policy language, and it being for *everything*... and you've said it's esp. for apache, and most of the AVC's I see that I have problems even figuring out what it's complaining about, have been related to apache and cgi, etc.
Sorry, but I think selinux is a side pathway that leads to an unnavigable swamp. And training folks - you need a number of folks *all* of whom can deal with that swamp.
Unless, of course, you want to be so irreplaceable that they don't want you to ever take a vacation, and are on call 24x7x365.25.
mark, been there without realizing it, done that, WON'T DO IT AGAIN