[CentOS] SELinux and access across 'similar types'

Tue Jan 10 20:52:02 UTC 2012
夜神 岩男 <supergiantpotato at yahoo.co.jp>

On 01/11/2012 05:04 AM, Les Mikesell wrote:
> On Tue, Jan 10, 2012 at 1:46 PM, Daniel J Walsh<dwalsh at redhat.com>  wrote:
>>
>>>> On Tue, Jan 10, 2012 at 7:47 AM, Daniel J Walsh
>>>>> <dwalsh at redhat.com>  wrote:
>>>>>>
>>>>>> Now if only more people used RHEL we could further enhance
>>>>>> the products.  :^)
>>>>>>
>>>>>
>>>>> Why isn't it accepted as more of a standard?
>>>>>
>>>> I don't understand the question.
>>>
>>> Why is it vendor-specific to RHEL?
>>>
>> I was talking Money not vendor specific. The question meant as a jab
>> was if more people used RHEL instead of Centos, we could pay more
>> developers.  I thought the @redhat.com would signify why I would want
>> that.  :^)
>
> OK, I can understand why you would want that.  I don't understand why
> you think anyone else would want even more nonstandard variations in
> linux distributions.   And if this isn't intended to be
> vendor-specific, why isn't it an independent upstream project or
> included in the kernel?

The logical code to SELinux isn't specific to RH, not by a long shot. 
(Of course, RH may wind up doing some way un-Unixy/very-vendor-specific 
things in the near future, but that has nothing to do with SELinux)
http://userspace.selinuxproject.org/trac
http://www.gentoo.org/proj/en/hardened/selinux/
https://wiki.ubuntu.com/SELinux
...

But the difficult thing about SELinux isn't how it works, its the detail 
required for each policy to wrap each program up correctly without 
denying useful functionality in the process, not to mention deploying 
them with packages, and dealing with the whole new universe of 
inaccurate bug reports SELinux has spawned...

*That* is very hard -- and that is what Red Hat has been so good about 
over the last while. In the process Fedora has spawned a slew of new 
tools to make SELinux policy easier to deal with -- and in the process 
of doing that Fedora acquired/affirmed its reputation for eating babies.

SElinux exists all over the place, and there are binaries for it in 
nearly every distro -- but nearly everyone has decided that "its too 
hard" so its just a set of accessory packages almost nobody installs, 
and if installed not activated, and if activated quickly de-activated 
(the #1 web server "fix your frustrations on the web" advice for noobs 
is still "disable SELinux, it sux").

Honestly, though, at this point the tools really are there. A packager 
that wants to publish an SELinux policy with his package finds it easy 
if the tools are understood -- what is really lacking now is just a very 
public, beginner-friendly introduction to the core concepts of SELinux 
which includes a nice intro to the somewhat arbitrary jargon that 
surrounds access policy concepts.

Minds are very slowly changing and I am beginning to see a lot more 
functionality in non-Fedora-derived distros, but it takes a long time to 
turn the tide several years' worth of mailing archive, newsgroup, blog 
and forum advice *against* learning SELinux and turning it off instead 
-- and of course the biggest problem with that advice for those new to 
SELinux is that often it produces instant gratification.