On Sun, 2010-11-28 at 23:42 +0000, Marko Vojinovic wrote: > On Sunday 28 November 2010 22:40:41 brett mm wrote: > > > This is where, as a sysadmin, you need to invest just a little time and > > > effort learning the system. Honestly, the vast majority of issues are > > > trivial to solve if you just spend a few hours reading the docs/guides, > > > and even if you really can't be bothered there are kind folks on this > > > list (and others) that will likely solve your issues for you. How is > > > that not worth the extra security SELinux affords? > > In reality, I am not at all sure that a quantum leap in complexity > > adds to security at all. Any proper use of old-school group > > permissions can give as finely-grained a security policy as you would > > like. > No, you're wrong --- SELinux exists precisely because the old-school > permissions system is *not* fine-grained enough. That's why SELinux was > actually invented, to introduce a more fine-grained control over access. +1 > I am lazy to search now, but I remember seeing a couple of typical counter- > examples, where usual permissions system is completely incapable of > implementing the level of access control that SELinux gives you. Even if it is *possible*, the traditional UNIX permissions are a serious *PAIN*. If you want two users to have rw- to a file you... create a group of two users??? You end up with a zillion groups - which is pointless and unmaintainable. Thank goodness for ACL support and setfacl/getfacl. While that isn't SELinux the principal is the same - the tools should rise to match the practice, not the practice be mashed into the functionality of inferior tools. I was a disable-selinux guy because it seemed like a black box. But I saw ke4qqq present at Ohio LINUX on SELinux and now I'm a believer; it doesn't take much effort and SELinux really is understandable. <http://www.whitemiceconsulting.com/2010/09/ohio-linuxfest-2010.html> SELinux can even generate the required policies for you! It is an impressively well thought out tool and as indispensable as iptables. -- Adam Tauno Williams <awilliam@xxxxxxxxxxxxx> LPIC-1, Novell CLA <http://www.whitemiceconsulting.com> OpenGroupware, Cyrus IMAPd, Postfix, OpenLDAP, Samba _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos