Daniel J Walsh wrote: > On 12/07/2010 11:59 AM, Benjamin Franz wrote: >> On 12/07/2010 08:12 AM, Daniel J Walsh wrote: >>> >>> Yes SELinux and all MAC systems require that if the administrator puts >>> files in non default directories, then they have to have to be told. >>> In the case of SELinux, this involves correcting the labeling. DAC has <snip> >>> I wrote this paper to try to explain what SELinux tends to complain >>> about. >>> >>> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf >> >> The fact remains that as the old saw goes: Make it hard enough to do >> something and people will quit doing it. >> >> SELinux remains *hard* for most non-default users. As the lead SE <snip> >> I have 15 years experience running Linux servers. And I find SELinux Ditto, and that's also Solaris and Tru-64. >> damn annoying. I can work with it at need - but I'm generally pissed off >> when I find 'yet another SELinux issue'. My boss, who is the fallback >> admin here, would find it utterly opaque. He would have no idea where to >> even start looking for an SELinux issue. Yup. <snip> > I am not arguing that SELinux is easy, I am arguing that it is not > rocket science. I have worked for a several years to try to make If rocket science means very difficult and obscure, yes, it is. > SELinux easier to use, while making it more comprehensive and adding > tools like svirt and sandbox to give administrators more tools to secure > their systems. We have fixed thousands of bugs in policy and > applications that were acting bad, so I have seen the problems people > have had with SELinux, I am encouraged by the number of people who have > worked with SELinux and continue to leave SELinux enabled by default. > But I understand why SELinux is disabled on some machines. <snip> What have you done for folks who have third-party software, either F/OSS or COTS, or in-house developed stuff, *none* of which was written with selinux in mind, and is *not* going to be rewritten any time soon? You've seen me on the selinux list, and I have yet to figure out why I see the complaints about contexts, since they *appear* to be temp files, and I don't know where they're located, or where the CGI scripts are that create them are, and *all* of it's got the added complexity that some of that are on NFS-mounted directories. mark