On Sat, Apr 08, 2006 at 10:55:37 -0500, Robert Nichols <rnicholsNOSPAM@xxxxxxxxxxx> wrote: > > Actually, I agree with you completely. I've just found SELinux too > painful to use. I fought with it a long time in FC-3, almost had it > working, but never managed to get permissive mode to stay quiet long > enough to let me go to enforcing mode. I looked at SELinux in FC-4 > to see what might have changed, but I never really did much with FC-4. > Now I see that in FC-5 so much has changed that absolutely nothing > that I learned how to do in FC-3 applies any more. I'd be starting > from scratch again. Sorry, BTDT. Sure, there are programs I'd like > to confine, but SELinux just isn't a feasable way to do that unless > you have an SELinux guru on call to set up and maintain your system. I had it off in FC3, targetted in FC4, and now with FC5 I am going to try to inflict mls on myself, on one of my machines. I like targetted because it makes running publicly accessible daemons a bit safer (and FC5 adds some other stuff there). However, I do use perl scripts that need to be able to access a local database server or a remote site and I keep projects in nonstandard directories, so I need to tweak contexts. I still haven't figured out the best way to handle not breaking things after a relabel. I have both an interest in security and a distrust of commercial software distributors (in particular game distributors) and would like to take the next step of not having any unconfined (well, not using the unconfined_t context) processes. And I figure I might as well go right to using the mls policy even though I don't have much use for hierarchical security levels at this time. But I figure their will be some pain in doing this. I need to learn how to efficiently get custom modules set up for applications, and need to figure out how I want to maintain these modules as well as nonstandard file context settings.
