-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/07/2010 12:46 PM, m.roth at 5-cent.us wrote: > Daniel J Walsh wrote: >> On 12/07/2010 11:59 AM, Benjamin Franz wrote: >>> On 12/07/2010 08:12 AM, Daniel J Walsh wrote: >>>> >>>> Yes SELinux and all MAC systems require that if the administrator puts >>>> files in non default directories, then they have to have to be told. >>>> In the case of SELinux, this involves correcting the labeling. DAC has > <snip> >>>> I wrote this paper to try to explain what SELinux tends to complain >>>> about. >>>> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf >>> >>> The fact remains that as the old saw goes: Make it hard enough to do >>> something and people will quit doing it. >>> >>> SELinux remains *hard* for most non-default users. As the lead SE > <snip> >>> I have 15 years experience running Linux servers. And I find SELinux > > Ditto, and that's also Solaris and Tru-64. > >>> damn annoying. I can work with it at need - but I'm generally pissed off >>> when I find 'yet another SELinux issue'. My boss, who is the fallback >>> admin here, would find it utterly opaque. He would have no idea where to >>> even start looking for an SELinux issue. > > Yup. > <snip> >> I am not arguing that SELinux is easy, I am arguing that it is not >> rocket science. I have worked for a several years to try to make > > If rocket science means very difficult and obscure, yes, it is. > >> SELinux easier to use, while making it more comprehensive and adding >> tools like svirt and sandbox to give administrators more tools to secure >> their systems. We have fixed thousands of bugs in policy and >> applications that were acting bad, so I have seen the problems people >> have had with SELinux, I am encouraged by the number of people who have >> worked with SELinux and continue to leave SELinux enabled by default. >> But I understand why SELinux is disabled on some machines. > <snip> > What have you done for folks who have third-party software, either F/OSS > or COTS, or in-house developed stuff, *none* of which was written with > selinux in mind, and is *not* going to be rewritten any time soon? You've > seen me on the selinux list, and I have yet to figure out why I see the > complaints about contexts, since they *appear* to be temp files, and I > don't know where they're located, or where the CGI scripts are that create > them are, and *all* of it's got the added complexity that some of that are > on NFS-mounted directories. > > mark > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos We have attempted to work with them, setup default labeling for them when we know about the problems, embarrass them when they say you need to disable SELInux. Red Hat is working on new developer tools to help third party developers work on RHEL systems. I am not sure what else I can do to get them to work with the security systems in place on RHEL. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+dIsACgkQrlYvE4MpobPOYgCfda4PZuY809Hatmg3EMMRwAYk dJoAoNcTrfM7izAnsGZIf/INEIzSQCk9 =Y6L+ -----END PGP SIGNATURE-----