[CentOS] SELinux - way of the future or good idea but !!!

Mon Nov 29 13:35:26 UTC 2010
Adam Tauno Williams <awilliam at whitemice.org>

On Sun, 2010-11-28 at 23:42 +0000, Marko Vojinovic wrote: 
> On Sunday 28 November 2010 22:40:41 brett mm wrote:
> > > This is where, as a sysadmin, you need to invest just a little time and
> > > effort learning the system. Honestly, the vast majority of issues are
> > > trivial to solve if you just spend a few hours reading the docs/guides,
> > > and even if you really can't be bothered there are kind folks on this
> > > list (and others) that will likely solve your issues for you. How is
> > > that not worth the extra security SELinux affords?
> > In reality, I am not at all sure that a quantum leap in complexity
> > adds to security at all. Any proper use of old-school group
> > permissions can give as finely-grained a security policy as you would
> > like.
> No, you're wrong --- SELinux exists precisely because the old-school 
> permissions system is *not* fine-grained enough. That's why SELinux was 
> actually invented, to introduce a more fine-grained control over access.

+1

> I am lazy to search now, but I remember seeing a couple of typical counter-
> examples, where usual permissions system is completely incapable of 
> implementing the level of access control that SELinux gives you. 

Even if it is *possible*, the traditional UNIX permissions are a serious
*PAIN*.  If you want two users to have rw- to a file you...  create a
group of two users???  You end up with a zillion groups - which is
pointless and unmaintainable.  Thank goodness for ACL support and
setfacl/getfacl.  While that isn't SELinux the principal is the same -
the tools should rise to match the practice, not the practice be mashed
into the functionality of inferior tools.

I was a disable-selinux guy because it seemed like a black box.  But I
saw ke4qqq present at Ohio LINUX on SELinux and now I'm a believer; it
doesn't take much effort and SELinux really is understandable.
<http://www.whitemiceconsulting.com/2010/09/ohio-linuxfest-2010.html>
SELinux can even generate the required policies for you! It is an
impressively well thought out tool and as indispensable as iptables.

-- 
Adam Tauno Williams <awilliam at whitemice.org> LPIC-1, Novell CLA
<http://www.whitemiceconsulting.com>
OpenGroupware, Cyrus IMAPd, Postfix, OpenLDAP, Samba