[CentOS] SELinux - way of the future or good idea but !!!

Tue Dec 7 17:46:11 UTC 2010
m.roth at 5-cent.us <m.roth at 5-cent.us>

Daniel J Walsh wrote:
> On 12/07/2010 11:59 AM, Benjamin Franz wrote:
>> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>>>
>>> Yes SELinux and all MAC systems require that if the administrator puts
>>> files in non default directories, then they have to have to be told.
>>> In the case of SELinux, this involves correcting the labeling.  DAC has
<snip>
>>> I wrote this paper to try to explain what SELinux tends to complain
>>> about.
>>>
>>> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
>>
>> The fact remains that as the old saw goes: Make it hard enough to do
>> something and people will quit doing it.
>>
>> SELinux remains *hard* for most non-default users. As the lead SE
<snip>
>> I have 15 years experience running Linux servers. And I find SELinux

Ditto, and that's also Solaris and Tru-64.

>> damn annoying. I can work with it at need - but I'm generally pissed off
>> when I find 'yet another SELinux issue'. My boss, who is the fallback
>> admin here, would find it utterly opaque. He would have no idea where to
>> even start looking for an SELinux issue.

Yup.
<snip>
> I am not arguing that SELinux is easy, I am arguing that it is not
> rocket science.  I have worked for a several years to try to make

If rocket science means very difficult and obscure, yes, it is.

> SELinux easier to use, while making it more comprehensive and adding
> tools like svirt and sandbox to give administrators more tools to secure
> their systems.  We have fixed thousands of bugs in policy and
> applications that were acting bad, so I have seen the problems people
> have had with SELinux, I am encouraged  by the number of people who have
> worked with SELinux and continue to leave SELinux enabled by default.
> But I understand why SELinux is disabled on some machines.
<snip>
What have you done for folks who have third-party software, either F/OSS
or COTS, or in-house developed stuff, *none* of which was written with
selinux in mind, and is *not* going to be rewritten any time soon? You've
seen me on the selinux list, and I have yet to figure out why I see the
complaints about contexts, since they *appear* to be temp files, and I
don't know where they're located, or where the CGI scripts are that create
them are, and *all* of it's got the added complexity that some of that are
on NFS-mounted directories.

         mark