On Mon, Nov 29, 2010 at 8:35 AM, Adam Tauno Williams awilliam@whitemice.org wrote:
Even if it is *possible*, the traditional UNIX permissions are a serious *PAIN*. If you want two users to have rw- to a file you... create a group of two users??? You end up with a zillion groups - which is pointless and unmaintainable. Thank goodness for ACL support and setfacl/getfacl. While that isn't SELinux the principal is the same - the tools should rise to match the practice, not the practice be mashed into the functionality of inferior tools.
Adding higher functionality means more cost in performance. This is information right down at the file system level, and UNIX ACL's are *cheap* computationally to administer.
If you need more, you can get into netgroups, or NFSv4 ACL's, or the like. But I don't recommend it. It's fairly unusual to wish to grant permissions to only two users, at least in industry. SELinux, well, it's taking the controls out of band in fascinating ways.
I was a disable-selinux guy because it seemed like a black box. But I saw ke4qqq present at Ohio LINUX on SELinux and now I'm a believer; it doesn't take much effort and SELinux really is understandable. http://www.whitemiceconsulting.com/2010/09/ohio-linuxfest-2010.html SELinux can even generate the required policies for you! It is an impressively well thought out tool and as indispensable as iptables.
Which many sites simply do not use, preferring to leave their servers open internally and rely on external firewalls. I'm not saying this is ideal, but it remains a pretty common approach.