On Tue, 20 Sep 2011 19:37:04 +0800 Ed Greshko wrote: > Other than the occasional need for a custom policy I've not had any problems. And did you perform an intensive security review of the source for the program requiring the custom policy to insure that it is in fact perfectly OK to allow whatever the heck selinux was disallowing? Or (as I suspect is far more likely :-) did you just say, "OK, I need to run this program, so I'll allow that." And, of course, the standard selinux policy files shipped with fedora have grown in the exact same fashion. The reason most folks don't have problems with selinux any longer is that all the quirks and foibles of all the programs shipped with fedora have gradually been added to the policy files, almost certainly without any of the intensive security reviews of the source which would make it marginally safe to allow those behaviors. (Because if the source had gone through that kind of review, they'd still be working on the 1st policy exception :-). So basically, you can get a system which is every bit as secure as one running selinux by turning off selinux, and then you don't ever get bothered by the "occasional need" to write a custom policy, or get fooled into a sense of security because you have selinux turned on. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
