[CentOS] SELinux - way of the future or good idea but !!!

Adam Tauno Williams awilliam at whitemice.org
Mon Nov 29 13:35:26 UTC 2010

On Sun, 2010-11-28 at 23:42 +0000, Marko Vojinovic wrote: 
> On Sunday 28 November 2010 22:40:41 brett mm wrote:
> > > This is where, as a sysadmin, you need to invest just a little time and
> > > effort learning the system. Honestly, the vast majority of issues are
> > > trivial to solve if you just spend a few hours reading the docs/guides,
> > > and even if you really can't be bothered there are kind folks on this
> > > list (and others) that will likely solve your issues for you. How is
> > > that not worth the extra security SELinux affords?
> > In reality, I am not at all sure that a quantum leap in complexity
> > adds to security at all. Any proper use of old-school group
> > permissions can give as finely-grained a security policy as you would
> > like.
> No, you're wrong --- SELinux exists precisely because the old-school 
> permissions system is *not* fine-grained enough. That's why SELinux was 
> actually invented, to introduce a more fine-grained control over access.


> I am lazy to search now, but I remember seeing a couple of typical counter-
> examples, where usual permissions system is completely incapable of 
> implementing the level of access control that SELinux gives you. 

Even if it is *possible*, the traditional UNIX permissions are a serious
*PAIN*.  If you want two users to have rw- to a file you...  create a
group of two users???  You end up with a zillion groups - which is
pointless and unmaintainable.  Thank goodness for ACL support and
setfacl/getfacl.  While that isn't SELinux the principal is the same -
the tools should rise to match the practice, not the practice be mashed
into the functionality of inferior tools.

I was a disable-selinux guy because it seemed like a black box.  But I
saw ke4qqq present at Ohio LINUX on SELinux and now I'm a believer; it
doesn't take much effort and SELinux really is understandable.
SELinux can even generate the required policies for you! It is an
impressively well thought out tool and as indispensable as iptables.

Adam Tauno Williams <awilliam at whitemice.org> LPIC-1, Novell CLA
OpenGroupware, Cyrus IMAPd, Postfix, OpenLDAP, Samba

More information about the CentOS mailing list