Am 25.07.2013 21:26, schrieb Miloslav Trmač: > On Thu, Jul 25, 2013 at 6:36 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >> if you are able to marry pure-ftpd, samba and 250 cms-installations predictable >> on a machine running also *self developed* managment-software for a complete >> infrastructure on 20 Fedora servers with SElinux go ahead :-) >> >> been there done that and it makes thiings so secure that they are completly >> unuseable because you are searching all day long for problems acess denied >> here and there > > That can happen with SELinux when the application does something > unanticipated by the policy writers. It can also happen just the same > with ReadOnly Directories, for just the same reason, can't it? no it can't there is a difference between write to /usr and write to a bind-mount under /usr/local which is not part of the OS as well as other trees on disks far away from the FHS layout > I suppose there may a difference in how often that happens - "/usr is > read only" is a fairly well-targeted heuristics, OTOH "/usr is read > only" also leaves a large part of the system completely unprotected correct but in environments like mine it includes *anything* installed from packages and leaves out *anything* of own driven software which needs write-access and can only with a lot of (too) much effort be married with selinux i tried SElinux several times on clones and finally it was way too much unpredictable work to arrange it with the running infrastructure while make /ur and /etc read-only was done and tested for any service within a few hours i am perfectionist but at the same time i have to draw a line between perfect and doable without killing the companies workspace the proposal draws the line in a perfect way, has no measureable performance impact and doe swork nicely on systems with enforced SElinux - that is why one of my first thougts was "hey why is this not the default?"
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
