[CentOS] SELinux - way of the future or good idea but !!!

Tue Nov 30 20:11:24 UTC 2010
Lamar Owen <lowen at pari.edu>

On Tuesday, November 30, 2010 01:55:11 pm m.roth at 5-cent.us wrote:
> Reality check time: selinux is a *tiny* portion of the entire Linux
> market, though growing. 

Reality check: IDC analysts have estimated Red Hat's share of the paid commercial Linux market as 62%[1], [2], with Red Hat estimating higher [3].  That's RHEL: which ships SELinux enabled, enforcing, targeted, by default.  And, this being the CentOS list, we're in a default SELinux enforcing/targeted userbase; SELinux is (in) 100% of the CentOS market, in other words.  If the comparison is Ubuntu, well, I'm not so sure it so dramatically overrides, especially on the server, and maybe not even on the desktop.

> However, there are a ton of apps out there, and
> almost no developers who have been earning their living as programmers,
> who have any knowledge of selinux. Case in point: something here,
> developed in-house over the last 10-12 years, lots of cgi. Another case:
> Computer Associates' SiteMinder, big bucks commercial product.

CA should know better, and if they are targeting RHEL commercially they should be supporting the default RHEL configuration.

From what I see, SELinux capability is more about packaging and is more in the policy than in the programs themselves; that is, there really shouldn't be any rewriting of apps required, just someone fingerprinting (using permissive mode and audit2allow) the application, and making a policy package for that application.

notes:
[1] http://blogs.computerworld.com/14884/who_really_has_the_most_linux_users
[2] http://news.cnet.com/8301-13505_3-10312978-16.html
[3] http://www.internetnews.com/bus-news/article.php/3842561/Red+Hat+Were+75+of+the+Paid+Linux+Market.htm