[CentOS] SELinux - way of the future or good idea but !!!

Tue Dec 7 16:59:22 UTC 2010
Benjamin Franz <jfranz at freerun.com>

On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>
> Yes SELinux and all MAC systems require that if the administrator puts
> files in non default directories, then they have to have to be told.  In
> the case of SELinux, this involves correcting the labeling.  DAC has
> similar problems, in that you need to make sure the permission flags and
> ownership is correct.  Of course admins have been dealing with DAC for
> years so they understand it, and the number of UID/Permision
> combinations is more limited then the amounts of labels that SELinux
> presents.
>
> I wrote this paper to try to explain what SELinux tends to complain about.
>
> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf

The fact remains that as the old saw goes: Make it hard enough to do 
something and people will quit doing it.

SELinux remains *hard* for most non-default users. As the lead SE 
developer, things you find utterly routine and only slightly annoying 
are major roadblocks to many other people. You aren't the average user. 
You aren't even close to one. A *sophisticated* user will see the 
suggestion given by sealeart to run chcon, follow it, *and have no idea 
that a system relabel can screw it up again*. sealert doesn't even 
mention the issue! It is as if the person who wrote the sealert messages 
never considered that people would like things fixed permanently rather 
than just until the next SELinux update relabels the system.

I have 15 years experience running Linux servers. And I find SELinux 
damn annoying. I can work with it at need - but I'm generally pissed off 
when I find 'yet another SELinux issue'. My boss, who is the fallback 
admin here, would find it utterly opaque. He would have no idea where to 
even start looking for an SELinux issue.

The issue is similar to that of using passwords of more than 10 
characters composed of random mixed-case alphanumeric characters 
(ideally with special characters mixed in). Yes - they are provably more 
secure in a technical sense than virtually any easily remembered system. 
However *real people* have to use the passwords. And they will put the 
damn things on taped notes on the bottom of their laptop if you make 
them too hard (not conjectural - I've caught people here doing exactly 
that).

BTW: You have a typographical error on your semanage example. You don't 
have a closing ' character on the file_spec.

-- 
Benjamin Franz