[CentOS] SELinux - way of the future or good idea but !!!

Tue Nov 30 18:22:53 UTC 2010
m.roth at 5-cent.us <m.roth at 5-cent.us>

Lamar Owen wrote:
> On Tuesday, November 30, 2010 11:38:24 am m.roth at 5-cent.us wrote:
>> Lamar Owen wrote:
>> > 2.) Be able to tell my os 'PDF reader can only do X to these files,
>> > and no others.  Browser cannot read ~/Documents, and can only write in
>> > ~/.mozilla.  Flash plugin cannot write anywhere without specific user
>> > permission and can only read those files it requires to work.'
>>
>> Gag! And suppose you d/l a pdf, or an html of a manual, or the company
>> holiday party flyer, or the meeting annoucement - the way you describe
>> it, above, I can't look at them.
>
> Valid point; I'd just want to tune my policy.  The biggest lack I see
> right now is a simple interface to the policy settings, but it is getting
> better each iteration.

Right - change *local* policy for every iteration.
>
>> Sorry, but I think selinux is a side pathway that leads to an
>> unnavigable swamp. And training folks - you need a number of folks
*all* of whom can
>> deal with that swamp.
>
> You are certainly entitled to your opinion.
>
> Swamps are buildable with ACL's, SELinux contexts, user permissions, and
> basically any other controls.  Well-groomed gardens are also buildable
> with these tools; at least the tools are available.  One should not avoid
> greenery entirely just because one has seen overgrown yards before.

I'm talking about the real, outside world, *not* my own personal system.
And for personal systems, even though it would protect a lot of folks, it
would stop them from doing still more... and we're talking about folks who
are *NOT* knowledgable.
>
>> Unless, of course, you want to be so irreplaceable that they don't want
>> you to ever take a vacation, and are on call 24x7x365.25.
>
> For my own laptop? :-)  And why would I want to be on call 365 weeks a
> year?

As I said, I work in the real world with all this, and you seem to be
arguing, based on your own personal experience that those of us in the
workplace should do thus-and-so, and we're telling you what it's like in
the trenches, and why we don't like selinux.
<snip>

          mark