Re: SELinux - way of the future or good idea but !!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/07/2010 12:46 PM, m.roth@xxxxxxxxx wrote:
> Daniel J Walsh wrote:
>> On 12/07/2010 11:59 AM, Benjamin Franz wrote:
>>> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>>>>
>>>> Yes SELinux and all MAC systems require that if the administrator puts
>>>> files in non default directories, then they have to have to be told.
>>>> In the case of SELinux, this involves correcting the labeling.  DAC has
> <snip>
>>>> I wrote this paper to try to explain what SELinux tends to complain
>>>> about.
>>>>
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
>>>
>>> The fact remains that as the old saw goes: Make it hard enough to do
>>> something and people will quit doing it.
>>>
>>> SELinux remains *hard* for most non-default users. As the lead SE
> <snip>
>>> I have 15 years experience running Linux servers. And I find SELinux
> 
> Ditto, and that's also Solaris and Tru-64.
> 
>>> damn annoying. I can work with it at need - but I'm generally pissed off
>>> when I find 'yet another SELinux issue'. My boss, who is the fallback
>>> admin here, would find it utterly opaque. He would have no idea where to
>>> even start looking for an SELinux issue.
> 
> Yup.
> <snip>
>> I am not arguing that SELinux is easy, I am arguing that it is not
>> rocket science.  I have worked for a several years to try to make
> 
> If rocket science means very difficult and obscure, yes, it is.
> 
>> SELinux easier to use, while making it more comprehensive and adding
>> tools like svirt and sandbox to give administrators more tools to secure
>> their systems.  We have fixed thousands of bugs in policy and
>> applications that were acting bad, so I have seen the problems people
>> have had with SELinux, I am encouraged  by the number of people who have
>> worked with SELinux and continue to leave SELinux enabled by default.
>> But I understand why SELinux is disabled on some machines.
> <snip>
> What have you done for folks who have third-party software, either F/OSS
> or COTS, or in-house developed stuff, *none* of which was written with
> selinux in mind, and is *not* going to be rewritten any time soon? You've
> seen me on the selinux list, and I have yet to figure out why I see the
> complaints about contexts, since they *appear* to be temp files, and I
> don't know where they're located, or where the CGI scripts are that create
> them are, and *all* of it's got the added complexity that some of that are
> on NFS-mounted directories.
> 
>          mark
> 
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos

We have attempted to work with them, setup default labeling for them
when we know about the problems, embarrass them when they say you need
to disable SELInux.  Red Hat is working on new developer tools to help
third party developers work on RHEL systems.   I am not sure what else I
can do to get them to work with the security systems in place on RHEL.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+dIsACgkQrlYvE4MpobPOYgCfda4PZuY809Hatmg3EMMRwAYk
dJoAoNcTrfM7izAnsGZIf/INEIzSQCk9
=Y6L+
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux