On 09/20/2011 08:07 PM, Tom Horsley wrote: > On Tue, 20 Sep 2011 19:37:04 +0800 > Ed Greshko wrote: > >> Other than the occasional need for a custom policy I've not had any problems. > And did you perform an intensive security review of the source for the > program requiring the custom policy to insure that it is in fact > perfectly OK to allow whatever the heck selinux was disallowing? > Or (as I suspect is far more likely :-) did you just say, "OK, I need > to run this program, so I'll allow that." I do not know what your definition of "intensive security review" is... But, yes a risk assessment were undertaken to determine why the sealert was generated and the implications of generating a policy to allow the program to run. FWIW, I didn't do all the work personally in all instances but in at least one case the code was changed as opposed to creating a custom policy. > And, of course, the standard selinux policy files shipped with fedora > have grown in the exact same fashion. The reason most folks don't > have problems with selinux any longer is that all the quirks and > foibles of all the programs shipped with fedora have gradually > been added to the policy files, almost certainly without any > of the intensive security reviews of the source which would make > it marginally safe to allow those behaviors. (Because if the > source had gone through that kind of review, they'd still be > working on the 1st policy exception :-). I don't know if the assertion that you've made in this paragraph are true or not. I'm inclined to take what you've said as either an opinion or maybe an "educated" assumption. > > So basically, you can get a system which is every bit as secure > as one running selinux by turning off selinux, and then you don't > ever get bothered by the "occasional need" to write a custom > policy, or get fooled into a sense of security because you > have selinux turned on. It seems you are advocating to "just turn it off".? -- Even if you do learn to speak correct English, whom are you going to speak it to? -- Clarence Darrow -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines