Ned Slider wrote:
> On 02/04/12 15:10, Lamar Owen wrote:
>> On Monday, April 02, 2012 08:51:46 AM Les Mikesell wrote:
>>> Another statistic I'd like to see is how much admin time this costs on
>>> the average to learn and implement.
>>
>> No more than proper firewalling techniques cost, really.
>>
>>> Has anyone really measured this?
<snip>
>>> Are there training courses specifically to cover it? You might get
>>> an idea from the length and cost of the training if it covers all the
>>> quirks. These days most of the built-in stuff is pre-configured for
>>> someone's idea of working (apache not being able to send mail doesn't
>>> match my definition, though...), but any third-party or local
>>> additions to a targeted service will take time to set up.
A *lot* of time.
>>
>> EL6 greatly improves the admin interface for SELinux with
>> policycoreutils-gui as then all the booleans are quickly available (like
>> the boolean that turns on or off httpd's ability to send e-mail (or
>> connect to a network socket, etc)). The booleans (at least most of
>> them) are in EL5, but the interface isn't nearly as well documented (I
>> know, many would like a TUI with the click boxes; maybe one is out
>> there, maybe not; I'm not allergic to a remote GUI being available on a
>> server).
<snip>
Except when there are bugs. For example, sealert has a significant problem
that I've mentioned on the selinux list a number of times: for some AVCs,
it does *not* catch and properly handle some errors which are unknown, and
it falls through to assert that if I want to enable this, I need to set
httpd_unified on... when it's been on, and has nothing to do with that.
mark