alex@xxxxxxxxxxxxxxx wrote:
Quoting Hein Coulier <hein.coulier@xxxxxxxxx>:
Don't get me wrong : i understand why redhat shouldn't be eager to
support
strict policies. I also don't expect the problems to be generated by
redhat, but by my 3rd party products : what if websphere (and our
internet
shop) stops running, or all our oracle databases in our 250 retail
shops ?
Even with support, damage in $ would be to big.
I hope that in a few years, linux will become like a mainframe with
default
security, and that it will be an evidence for all vendors that it's
their
duty to provide the neccessary rules to protect and keep their
systems and
data available.
I'm looking at this from a bit different angle. User can do lots of
damage even
if only "standard" Unix access controls are used (file permissions and
ownerships). SELinux only brings this at more complex level. If it
is too
complex for Red Hat (or any other vendor) to support it at standard
pricing
levels, they could have "advanced security release" of product that
includes
strict policy with higher price tag (that would reflect higher support
costs). Users of cheaper products should be allowed to install strict
policy too, but if
they need support, they'd need to switch back to targeted policy or
upgrade to
"advanced security" version of product. I see nothing wrong with such an
approach.
Best solution for me would be that rbac on userbase could be made
available
in targeted policy.
I'm an total SELinux newbie (intend to improve on that), but yes, this
would be
nice to have feature if possible. In my work environmnt, we work with
some
sensitive data, and we must have audit trail whenever some types of
files are
touched (or we would fail external audits, which translates to lost jobs,
simple as that). Problem with using Linux so far was lack of good
auditing
tools. SELinux looked promising on the surface, but if I can have
auditing
only with strict policy, and RHEL doesn't support it, than Red Hat has
put
itself out of game. If it was possible to create "targeted"
per-user/group
rules in targeted policy, with audit logging (when access is granted),
that
would be good enough.
You can use the Audit Framework for watching certain files with or
without SELinux.
Have you looked at auditd and auditctl.
I think you're all doing a great job, and i still believe selinux is the
future. Keep up the good work.
I completely agree with this.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
