[CentOS] SELinux - way of the future or good idea but !!!

Sun Nov 28 23:42:24 UTC 2010
Marko Vojinovic <vvmarko at gmail.com>

On Sunday 28 November 2010 22:40:41 brett mm wrote:
> > This is where, as a sysadmin, you need to invest just a little time and
> > effort learning the system. Honestly, the vast majority of issues are
> > trivial to solve if you just spend a few hours reading the docs/guides,
> > and even if you really can't be bothered there are kind folks on this
> > list (and others) that will likely solve your issues for you. How is
> > that not worth the extra security SELinux affords?
> 
> In reality, I am not at all sure that a quantum leap in complexity
> adds to security at all. Any proper use of old-school group
> permissions can give as finely-grained a security policy as you would
> like.

No, you're wrong --- SELinux exists precisely because the old-school 
permissions system is *not* fine-grained enough. That's why SELinux was 
actually invented, to introduce a more fine-grained control over access.

I am lazy to search now, but I remember seeing a couple of typical counter-
examples, where usual permissions system is completely incapable of 
implementing the level of access control that SELinux gives you. If you do a 
clever google search I am sure you can find some examples of this.

HTH, :-)
Marko