[CentOS] SELinux - way of the future or good idea but !!!

Wed Dec 8 19:40:24 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 12/8/2010 12:55 PM, David Sommerseth wrote:
>> The real life situation is that iptables only works on linux and the way
>> it works is distribution-dependent.  So what you learn may lock you into
>> a platform that may not always be your best choice.
> Please educate me here.  I've been using Novell SuSE Linux,
> RHEL/CentOS/Fedora, Gentoo, Crux Linux, RootLinux, Slackware, Ubuntu and
> my N900's maemo5 which is Debian based and OpenWRT based routers ... and
> I have not seen iptables behave differently than expected on any of
> these ... I don't completely understand your argument.
> Some of these distroes does indeed have their own additional tools, like
> YaST2, ufw, system-config-firewall, etc, etc ... That will be different,
> but they all use iptables under the hood.  I'm not talking about the
> simplified iptables front-end, as that *is* expected to be different.

How many of those use the same commands to 
start/stop/save-current-config?  Where do they keep the configs?  How If 
you deployed applications on all of them, how much time would it take to 
train the operators that do the install and maintenance to deal with all 
the variations?  What if you switch to Solaris or a *bsd version?  These 
aren't so much an issue if you use separate hardware for firewalling as 
when you run the host firewall on every device.

>> Does that mean you would not be comfortable moving your applications to
>> SUSE, Solaris, OS X, Windows, etc.?   I don't want that kind of lock-in.

> When it comes to Solaris, OSX and Windows, that is not comparable, as
> when you base your installations on Linux, you already at that point to
> limit yourself somewhat.

But most applications aren't, and shouldn't be restricted to Linux. 
Something in java in particular is equally at home on about any OS.  And 
most of our servers are not currently Linux.

>> Agreed - if it is as standard and cross-platform as Posix support you
>> will be able to depend on it without the associated side effect of being
>> locked to a particular OS distribution.
> First of all SELinux is written for Linux.  Or else it would probably
> have been called SEPosix.
> Second, iptables is a de-facto standard for Linux, just as pf is pretty
> much the standard firewalling on BSD.  Windows and Solaris got their own
> firewalling methods as well.  My point is, neither of them are any Posix
> standards ... would you prefer to not use any of these firewall
> implementations due to lack of cross-platform Posix support?

I think it is fine that non-standards-conforming things exist.  I just 
like to avoid them as much as possible myself - and certainly to avoid 
having them intimately intertwined with applications that would 
otherwise be portable.

    Les Mikesell
     lesmikesell at gmail.com