[CentOS] SELinux and access across 'similar types'
supergiantpotato at yahoo.co.jp
Tue Jan 10 20:52:02 UTC 2012
On 01/11/2012 05:04 AM, Les Mikesell wrote:
> On Tue, Jan 10, 2012 at 1:46 PM, Daniel J Walsh<dwalsh at redhat.com> wrote:
>>>> On Tue, Jan 10, 2012 at 7:47 AM, Daniel J Walsh
>>>>> <dwalsh at redhat.com> wrote:
>>>>>> Now if only more people used RHEL we could further enhance
>>>>>> the products. :^)
>>>>> Why isn't it accepted as more of a standard?
>>>> I don't understand the question.
>>> Why is it vendor-specific to RHEL?
>> I was talking Money not vendor specific. The question meant as a jab
>> was if more people used RHEL instead of Centos, we could pay more
>> developers. I thought the @redhat.com would signify why I would want
>> that. :^)
> OK, I can understand why you would want that. I don't understand why
> you think anyone else would want even more nonstandard variations in
> linux distributions. And if this isn't intended to be
> vendor-specific, why isn't it an independent upstream project or
> included in the kernel?
The logical code to SELinux isn't specific to RH, not by a long shot.
(Of course, RH may wind up doing some way un-Unixy/very-vendor-specific
things in the near future, but that has nothing to do with SELinux)
But the difficult thing about SELinux isn't how it works, its the detail
required for each policy to wrap each program up correctly without
denying useful functionality in the process, not to mention deploying
them with packages, and dealing with the whole new universe of
inaccurate bug reports SELinux has spawned...
*That* is very hard -- and that is what Red Hat has been so good about
over the last while. In the process Fedora has spawned a slew of new
tools to make SELinux policy easier to deal with -- and in the process
of doing that Fedora acquired/affirmed its reputation for eating babies.
SElinux exists all over the place, and there are binaries for it in
nearly every distro -- but nearly everyone has decided that "its too
hard" so its just a set of accessory packages almost nobody installs,
and if installed not activated, and if activated quickly de-activated
(the #1 web server "fix your frustrations on the web" advice for noobs
is still "disable SELinux, it sux").
Honestly, though, at this point the tools really are there. A packager
that wants to publish an SELinux policy with his package finds it easy
if the tools are understood -- what is really lacking now is just a very
public, beginner-friendly introduction to the core concepts of SELinux
which includes a nice intro to the somewhat arbitrary jargon that
surrounds access policy concepts.
Minds are very slowly changing and I am beginning to see a lot more
functionality in non-Fedora-derived distros, but it takes a long time to
turn the tide several years' worth of mailing archive, newsgroup, blog
and forum advice *against* learning SELinux and turning it off instead
-- and of course the biggest problem with that advice for those new to
SELinux is that often it produces instant gratification.
More information about the CentOS