Re: SELinux and access across 'similar types'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, Jan 11, 2012 at 01:49:29PM -0600, Les Mikesell wrote:
> On Wed, Jan 11, 2012 at 1:23 PM, Lamar Owen <lowen@xxxxxxxx> wrote:
> > SELinux does not 'go out of its way' to 'break' anything; rather,
> > SELinux enforces a deny by default 'need to access' policy.
> 
> Yes, the breakage came from having someone who didn't understand the
> needs define that policy.

I think part of the problem is that Linux+SELinux is a _different platform_
to Linux without SELinux.

On any Unix or Linux system I can install apache, configure it so that
DocumentRoot is /mywebtree/htdocs, CGIs are in /mywebtree/cgi.  The CGI
can write to /myapp/tmpdir and so on.  And it will work the same way
on all of those platforms.  On Linux+SELinux, however, you need to do
additional work.  The platform needs to be configured to allow this
to work.

Developers need to target Linux+SELinux as if it was a new platform to
be supported.  

But what about the gazillion of apps that don't support that platform?
Either you disable SELinux or you have a large support overhead
(initial onboarding of app, verification that updates to app still work,
verification that OS updates don't break app, etc etc).

Is the additional security worth it?

Maybe.  Maybe not.  That's up to each individual to determine.

-- 

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux