Re: selinux is a pain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09/20/2011 08:07 PM, Tom Horsley wrote:
> On Tue, 20 Sep 2011 19:37:04 +0800
> Ed Greshko wrote:
>
>> Other than the occasional need for a custom policy I've not had any problems.
> And did you perform an intensive security review of the source for the
> program requiring the custom policy to insure that it is in fact
> perfectly OK to allow whatever the heck selinux was disallowing?
> Or (as I suspect is far more likely :-) did you just say, "OK, I need
> to run this program, so I'll allow that."

I do not know what your definition of "intensive security review" is... 
But, yes a risk assessment were undertaken to determine why the sealert
was generated and the implications of generating a policy to allow the
program to run.  FWIW, I didn't do all the work personally in all
instances but in at least one case the code was changed as opposed to
creating a custom policy.
 
> And, of course, the standard selinux policy files shipped with fedora
> have grown in the exact same fashion. The reason most folks don't
> have problems with selinux any longer is that all the quirks and
> foibles of all the programs shipped with fedora have gradually
> been added to the policy files, almost certainly without any
> of the intensive security reviews of the source which would make
> it marginally safe to allow those behaviors. (Because if the
> source had gone through that kind of review, they'd still be
> working on the 1st policy exception :-).

I don't know if the assertion that you've made in this paragraph are
true or not.  I'm inclined to take what you've said as either an opinion
or maybe an "educated" assumption.
>
> So basically, you can get a system which is every bit as secure
> as one running selinux by turning off selinux, and then you don't
> ever get bothered by the "occasional need" to write a custom
> policy, or get fooled into a sense of security because you
> have selinux turned on.

It seems you are advocating to "just turn it off".?



-- 
Even if you do learn to speak correct English, whom are you going to
speak it to? -- Clarence Darrow
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux