Daniel J Walsh wrote:
On 12/07/2010 11:59 AM, Benjamin Franz wrote:
On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
Yes SELinux and all MAC systems require that if the administrator puts files in non default directories, then they have to have to be told. In the case of SELinux, this involves correcting the labeling. DAC has
<snip>
I wrote this paper to try to explain what SELinux tends to complain about.
http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_t...
The fact remains that as the old saw goes: Make it hard enough to do something and people will quit doing it.
SELinux remains *hard* for most non-default users. As the lead SE
<snip>
I have 15 years experience running Linux servers. And I find SELinux
Ditto, and that's also Solaris and Tru-64.
damn annoying. I can work with it at need - but I'm generally pissed off when I find 'yet another SELinux issue'. My boss, who is the fallback admin here, would find it utterly opaque. He would have no idea where to even start looking for an SELinux issue.
Yup. <snip>
I am not arguing that SELinux is easy, I am arguing that it is not rocket science. I have worked for a several years to try to make
If rocket science means very difficult and obscure, yes, it is.
SELinux easier to use, while making it more comprehensive and adding tools like svirt and sandbox to give administrators more tools to secure their systems. We have fixed thousands of bugs in policy and applications that were acting bad, so I have seen the problems people have had with SELinux, I am encouraged by the number of people who have worked with SELinux and continue to leave SELinux enabled by default. But I understand why SELinux is disabled on some machines.
<snip> What have you done for folks who have third-party software, either F/OSS or COTS, or in-house developed stuff, *none* of which was written with selinux in mind, and is *not* going to be rewritten any time soon? You've seen me on the selinux list, and I have yet to figure out why I see the complaints about contexts, since they *appear* to be temp files, and I don't know where they're located, or where the CGI scripts are that create them are, and *all* of it's got the added complexity that some of that are on NFS-mounted directories.
mark