[CentOS] SELinux and access across 'similar types'

Tue Jan 10 21:38:27 UTC 2012
Les Mikesell <lesmikesell at gmail.com>

2012/1/10 夜神 岩男 <supergiantpotato at yahoo.co.jp>:
>
> But the difficult thing about SELinux isn't how it works, its the detail
> required for each policy to wrap each program up correctly without
> denying useful functionality in the process, not to mention deploying
> them with packages, and dealing with the whole new universe of
> inaccurate bug reports SELinux has spawned...
>
> *That* is very hard -- and that is what Red Hat has been so good about
> over the last while.

But the hardest part is that these things are application specific and
there is no standardization for locations where applications do
things.  In fact, distributions intentionally move those locations
around in their packaging.

> In the process Fedora has spawned a slew of new
> tools to make SELinux policy easier to deal with -- and in the process
> of doing that Fedora acquired/affirmed its reputation for eating babies.

That reputation is well deserved.  Would it not have made sense to
have the needed diagnostic tools before shipping the thing that needs
it?

> Honestly, though, at this point the tools really are there. A packager
> that wants to publish an SELinux policy with his package finds it easy
> if the tools are understood -- what is really lacking now is just a very
> public, beginner-friendly introduction to the core concepts of SELinux
> which includes a nice intro to the somewhat arbitrary jargon that
> surrounds access policy concepts.

And wouldn't it have been a good idea to have the documentation before
turning on something non-standard that breaks things?

> Minds are very slowly changing and I am beginning to see a lot more
> functionality in non-Fedora-derived distros, but it takes a long time to
> turn the tide several years' worth of mailing archive, newsgroup, blog
> and forum advice *against* learning SELinux and turning it off instead
> -- and of course the biggest problem with that advice for those new to
> SELinux is that often it produces instant gratification.

Yeah, the whole idea seems like what a car company would have to do to
come back after selling a model that gets a lot of publicity for
crashing and burning.   The earlier opinions weren't wrong, after all.

-- 
 Les Mikesell
   lesmikesell at gmail.com