Lamar Owen wrote:
On Tuesday, November 30, 2010 11:38:24 am m.roth@5-cent.us wrote:
Lamar Owen wrote:
2.) Be able to tell my os 'PDF reader can only do X to these files, and no others. Browser cannot read ~/Documents, and can only write in ~/.mozilla. Flash plugin cannot write anywhere without specific user permission and can only read those files it requires to work.'
Gag! And suppose you d/l a pdf, or an html of a manual, or the company holiday party flyer, or the meeting annoucement - the way you describe it, above, I can't look at them.
Valid point; I'd just want to tune my policy. The biggest lack I see right now is a simple interface to the policy settings, but it is getting better each iteration.
Right - change *local* policy for every iteration.
Sorry, but I think selinux is a side pathway that leads to an unnavigable swamp. And training folks - you need a number of folks
*all* of whom can
deal with that swamp.
You are certainly entitled to your opinion.
Swamps are buildable with ACL's, SELinux contexts, user permissions, and basically any other controls. Well-groomed gardens are also buildable with these tools; at least the tools are available. One should not avoid greenery entirely just because one has seen overgrown yards before.
I'm talking about the real, outside world, *not* my own personal system. And for personal systems, even though it would protect a lot of folks, it would stop them from doing still more... and we're talking about folks who are *NOT* knowledgable.
Unless, of course, you want to be so irreplaceable that they don't want you to ever take a vacation, and are on call 24x7x365.25.
For my own laptop? :-) And why would I want to be on call 365 weeks a year?
As I said, I work in the real world with all this, and you seem to be arguing, based on your own personal experience that those of us in the workplace should do thus-and-so, and we're telling you what it's like in the trenches, and why we don't like selinux. <snip>
mark