[CentOS] SELinux - way of the future or good idea but !!!

Tue Nov 30 05:02:43 UTC 2010
Nico Kadel-Garcia <nkadel at gmail.com>

On Mon, Nov 29, 2010 at 8:35 AM, Adam Tauno Williams
<awilliam at whitemice.org> wrote:

> Even if it is *possible*, the traditional UNIX permissions are a serious
> *PAIN*.  If you want two users to have rw- to a file you...  create a
> group of two users???  You end up with a zillion groups - which is
> pointless and unmaintainable.  Thank goodness for ACL support and
> setfacl/getfacl.  While that isn't SELinux the principal is the same -
> the tools should rise to match the practice, not the practice be mashed
> into the functionality of inferior tools.

Adding higher functionality means more cost in performance. This is
information right down at the file system level, and UNIX ACL's are
*cheap* computationally to administer.

If you need more, you can get into netgroups, or NFSv4 ACL's, or the
like. But I don't recommend it. It's fairly unusual to wish to grant
permissions to only two users, at least in industry. SELinux, well,
it's taking the controls out of band in fascinating ways.

> I was a disable-selinux guy because it seemed like a black box.  But I
> saw ke4qqq present at Ohio LINUX on SELinux and now I'm a believer; it
> doesn't take much effort and SELinux really is understandable.
> <http://www.whitemiceconsulting.com/2010/09/ohio-linuxfest-2010.html>
> SELinux can even generate the required policies for you! It is an
> impressively well thought out tool and as indispensable as iptables.

Which many sites simply do not use, preferring to leave their servers
open internally and rely on external firewalls. I'm not saying this is
ideal, but it remains a pretty common approach.