smooge@xxxxxxxxx ("Stephen J. Smoogen") writes:
>> Finally, one fundamental problem, probably most users ask them
>> themselves: Is coping with all the issues SELinux causes worth the
>> effort, and does it really help the user?
>>
>> I guess, all Fedora users have been fighting with SELinux at some point
>> in time, but probably nobody or at least very few have seen SELinux
>> preventing damage from a system in real world installations.
>
> I can say that is false. Yes, I had some problems, but instead of
> turning it off I took the time to learn what it wanted.
I took the time to learn how to write SELinux rules and adopted a system
(e.g. chrooted ntpd, non-FC dhcp relay agent). But after each 'yum upgrade'
which installed a new kernel or a new policy I got lot of policy errors
(new/unknown roles, incompatible labels, time consuming relabels or even
reboots were needed for the policy userspace packages) so that I had to
spent a lot of time to fix SELinux issues.
Finally, I found that it is not worth the trouble and turned SELinux
off. Applications were and are protected by proper configuration,
traditional security measurements (non-root execution, chroots) and
easier to manage security models (Linux VServers).
SELinux is unsuitable for certain tasks (e.g. chroot operations) due to its
broken/non existent kernel API (requiring two filesystems and operating
with pathnames is not very efficient, difficultly/insecure and does not
work in chroots). SELinux seems to have a big performance impact too (I
remember numbers of 5-7% but did not measured them myself).
'cfengine' provides the largest attack vectors in my systems and I do
not see how SELinux can help to protect this program.
Enrico
Attachment:
pgp2dZkaA5YBe.pgp
Description: PGP signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
