On 03/20/2018 01:42 PM, Peter Kjellström wrote:
On Tue, 20 Mar 2018 13:07:12 +0100 hw hw@gc-24.de wrote:
...
So what do you really gain from selinux, and is that worthwhile all the trouble and the hours spent to fix the problems it creates? What about the impact on performance?
The main feature is that lots of software is indeed confined (even though your normal login or desktop remains unconfined).
This is exactly what happens to exim in your case. It is exim_t not unconfined_t which means when/if it goes crazy (or is exploited) the damage can be limited.
which is what access rights are for
For some people it's also useful that it provides the ability to define user types (see "semanage user --list").
How is this useful? It makes things much more complicated and more unmanageable.
It still doesn´t allow me as a user to make it so that a program I´m running can only access the files I want it to access. Why isn´t that a common thing for users to do? Gimp doesn´t need to have access to my emails and fvwm doesn´t need to access anything but it´s configuration, etc.. Since those are common things, why doesn´t selinux do it --- and in such a way that it is easy to manage?