[CentOS] SELinux - way of the future or good idea but !!!

Tue Dec 7 18:34:39 UTC 2010
Paul Heinlein <heinlein at madboa.com>

On Tue, 7 Dec 2010, m.roth at 5-cent.us wrote:

>> I am not arguing that SELinux is easy, I am arguing that it is not 
>> rocket science.  I have worked for a several years to try to make
>
> If rocket science means very difficult and obscure, yes, it is.

I've got to cry "foul" here. "Difficult and obscure" can be applied to 
just about any *nix command-line utility (or Windows registry hack, or 
Mac OpenDirectory tweak, ...).

I don't consider SELinux any more difficult to understand and manage 
than other Linux security-related controls like iptables or extended 
ACLs. That isn't to say that my mother-in-law would take to it, but 
I'd expect any sysadmin on my IT staff to be able to learn it.

In that sense, it's certainly not rocket science.

Daniel's other point concerns increased usability.

I've been using SELinux for a while now -- not always successfully, 
and I certainly do NOT consider myself an expert -- and it's quite 
apparent to me that the folks at Red Hat have unquestionably made it 
easier to use over that time.

It's apparently quite difficult to write policies for some 
applications (*cough* Nagios) that want to do a ton of things -- and 
third-party or in-house apps have a different set of challenges -- but 
I can't imagine anyone claiming that there hasn't been marked progress 
in SELinux usability over the CentOS 4 -> 5 life cycles.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/