[CentOS] selinux: how to allow access?

Tue Mar 20 13:24:41 UTC 2018
hw <hw at gc-24.de>

On 03/20/2018 01:42 PM, Peter Kjellström wrote:
> On Tue, 20 Mar 2018 13:07:12 +0100
> hw <hw at gc-24.de> wrote:
> ...
>> So what do you really gain from selinux, and is that worthwhile all
>> the trouble and the hours spent to fix the problems it creates?  What
>> about the impact on performance?
> The main feature is that lots of software is indeed confined (even
> though your normal login or desktop remains unconfined).
> This is exactly what happens to exim in your case. It is exim_t not
> unconfined_t which means when/if it goes crazy (or is exploited) the
> damage can be limited.

which is what access rights are for

> For some people it's also useful that it provides the ability to define
> user types (see "semanage user --list").

How is this useful?  It makes things much more complicated and more 

It still doesn´t allow me as a user to make it so that a program I´m 
running can only access the files I want it to access.  Why isn´t that a 
common thing for users to do?  Gimp doesn´t need to have access to my 
emails and fvwm doesn´t need to access anything but it´s configuration, 
etc..  Since those are common things, why doesn´t selinux do it --- and 
in such a way that it is easy to manage?