Ned Slider wrote:
On 02/04/12 15:10, Lamar Owen wrote:
On Monday, April 02, 2012 08:51:46 AM Les Mikesell wrote:
Another statistic I'd like to see is how much admin time this costs on the average to learn and implement.
No more than proper firewalling techniques cost, really.
Has anyone really measured this?
<snip>
Are there training courses specifically to cover it? You might get an idea from the length and cost of the training if it covers all the quirks. These days most of the built-in stuff is pre-configured for someone's idea of working (apache not being able to send mail doesn't match my definition, though...), but any third-party or local additions to a targeted service will take time to set up.
A *lot* of time.
EL6 greatly improves the admin interface for SELinux with policycoreutils-gui as then all the booleans are quickly available (like the boolean that turns on or off httpd's ability to send e-mail (or connect to a network socket, etc)). The booleans (at least most of them) are in EL5, but the interface isn't nearly as well documented (I know, many would like a TUI with the click boxes; maybe one is out there, maybe not; I'm not allergic to a remote GUI being available on a server).
<snip> Except when there are bugs. For example, sealert has a significant problem that I've mentioned on the selinux list a number of times: for some AVCs, it does *not* catch and properly handle some errors which are unknown, and it falls through to assert that if I want to enable this, I need to set httpd_unified on... when it's been on, and has nothing to do with that.
mark