[CentOS] selinux: how to allow access?
hw
hw at gc-24.de
Tue Mar 20 13:24:41 UTC 2018
On 03/20/2018 01:42 PM, Peter Kjellström wrote:
> On Tue, 20 Mar 2018 13:07:12 +0100
> hw <hw at gc-24.de> wrote:
>
> ...
>> So what do you really gain from selinux, and is that worthwhile all
>> the trouble and the hours spent to fix the problems it creates? What
>> about the impact on performance?
>
> The main feature is that lots of software is indeed confined (even
> though your normal login or desktop remains unconfined).
>
> This is exactly what happens to exim in your case. It is exim_t not
> unconfined_t which means when/if it goes crazy (or is exploited) the
> damage can be limited.
which is what access rights are for
> For some people it's also useful that it provides the ability to define
> user types (see "semanage user --list").
How is this useful? It makes things much more complicated and more
unmanageable.
It still doesn´t allow me as a user to make it so that a program I´m
running can only access the files I want it to access. Why isn´t that a
common thing for users to do? Gimp doesn´t need to have access to my
emails and fvwm doesn´t need to access anything but it´s configuration,
etc.. Since those are common things, why doesn´t selinux do it --- and
in such a way that it is easy to manage?
More information about the CentOS
mailing list