On 03/20/2018 01:42 PM, Peter Kjellström wrote:
On Tue, 20 Mar 2018 13:07:12 +0100
hw <hw@xxxxxxxx> wrote:
...
So what do you really gain from selinux, and is that worthwhile all
the trouble and the hours spent to fix the problems it creates? What
about the impact on performance?
The main feature is that lots of software is indeed confined (even
though your normal login or desktop remains unconfined).
This is exactly what happens to exim in your case. It is exim_t not
unconfined_t which means when/if it goes crazy (or is exploited) the
damage can be limited.
which is what access rights are for
For some people it's also useful that it provides the ability to define
user types (see "semanage user --list").
How is this useful? It makes things much more complicated and more
unmanageable.
It still doesn´t allow me as a user to make it so that a program I´m
running can only access the files I want it to access. Why isn´t that a
common thing for users to do? Gimp doesn´t need to have access to my
emails and fvwm doesn´t need to access anything but it´s configuration,
etc.. Since those are common things, why doesn´t selinux do it --- and
in such a way that it is easy to manage?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
