[CentOS] SELinux - way of the future or good idea but !!!
lowen at pari.edu
Tue Nov 30 17:54:24 UTC 2010
On Tuesday, November 30, 2010 11:38:24 am m.roth at 5-cent.us wrote:
> Lamar Owen wrote:
> > 2.) Be able to tell my os 'PDF reader can only do X to these files, and no
> > others. Browser cannot read ~/Documents, and can only write in
> > ~/.mozilla. Flash plugin cannot write anywhere without specific user
> > permission and can only read those files it requires to work.'
> Gag! And suppose you d/l a pdf, or an html of a manual, or the company
> holiday party flyer, or the meeting annoucement - the way you describe it,
> above, I can't look at them.
Valid point; I'd just want to tune my policy. The biggest lack I see right now is a simple interface to the policy settings, but it is getting better each iteration.
> Sorry, but I think selinux is a side pathway that leads to an unnavigable
> swamp. And training folks - you need a number of folks *all* of whom can
> deal with that swamp.
You are certainly entitled to your opinion.
Swamps are buildable with ACL's, SELinux contexts, user permissions, and basically any other controls. Well-groomed gardens are also buildable with these tools; at least the tools are available. One should not avoid greenery entirely just because one has seen overgrown yards before.
> Unless, of course, you want to be so irreplaceable that they don't want
> you to ever take a vacation, and are on call 24x7x365.25.
For my own laptop? :-) And why would I want to be on call 365 weeks a year?
No one is ever irreplaceable. Least of all me.
Security concerns should be part and parcel of any application rollout, and it is irresponsible to ignore any of the myraid tools at hand to perform the task.
More information about the CentOS