[CentOS] SELinux - way of the future or good idea but !!!

Tue Nov 30 16:38:24 UTC 2010
m.roth at 5-cent.us <m.roth at 5-cent.us>

Lamar Owen wrote:
> On Monday, November 29, 2010 09:35:44 pm Les Mikesell wrote:
>> Not so much a problem - I'm just saying that you should do the simple
>> things that have always worked first, then add SELinux if you want.
<snip>
> Now, I want to ask, given the two alternatives:
> 1.) Set up another uid to run PDF, browser, flash, etc and either switch
> between them or use some display indirection/ forwarding complexity to not
> have to switch, or fire up a VMware resoure hog (I do use VMware; firing
> up a whole 'nother OS in a VM reduces the performance of host apps, no
> matter how I tune them) and use Unity to make it look seamless....
>
> or
>
> 2.) Be able to tell my os 'PDF reader can only do X to these files, and no
> others.  Browser cannot read ~/Documents, and can only write in
> ~/.mozilla.  Flash plugin cannot write anywhere without specific user
> permission and can only read those files it requires to work.'

Gag! And suppose you d/l a pdf, or an html of a manual, or the company
holiday party flyer, or the meeting annoucement - the way you describe it,
above, I can't look at them.
<snip>
As I said, the whole arcane policy language, and it being for
*everything*... and you've said it's esp. for apache, and most of the
AVC's I see that I have problems even figuring out what it's complaining
about, have been related to apache and cgi, etc.

Sorry, but I think selinux is a side pathway that leads to an unnavigable
swamp. And training folks - you need a number of folks *all* of whom can
deal with that swamp.

Unless, of course, you want to be so irreplaceable that they don't want
you to ever take a vacation, and are on call 24x7x365.25.

         mark, been there without realizing it, done that, WON'T DO IT AGAIN