[CentOS] SELinux and access across 'similar types'

Wed Jan 11 23:25:08 UTC 2012
Stephen Harris <lists at spuddy.org>

On Wed, Jan 11, 2012 at 01:49:29PM -0600, Les Mikesell wrote:
> On Wed, Jan 11, 2012 at 1:23 PM, Lamar Owen <lowen at pari.edu> wrote:
> > SELinux does not 'go out of its way' to 'break' anything; rather,
> > SELinux enforces a deny by default 'need to access' policy.
> 
> Yes, the breakage came from having someone who didn't understand the
> needs define that policy.

I think part of the problem is that Linux+SELinux is a _different platform_
to Linux without SELinux.

On any Unix or Linux system I can install apache, configure it so that
DocumentRoot is /mywebtree/htdocs, CGIs are in /mywebtree/cgi.  The CGI
can write to /myapp/tmpdir and so on.  And it will work the same way
on all of those platforms.  On Linux+SELinux, however, you need to do
additional work.  The platform needs to be configured to allow this
to work.

Developers need to target Linux+SELinux as if it was a new platform to
be supported.  

But what about the gazillion of apps that don't support that platform?
Either you disable SELinux or you have a large support overhead
(initial onboarding of app, verification that updates to app still work,
verification that OS updates don't break app, etc etc).

Is the additional security worth it?

Maybe.  Maybe not.  That's up to each individual to determine.

-- 

rgds
Stephen