Arthur Pemberton wrote:
I don't think anyone complaining here has read the docs, but still,
this link may also help:
http://fedoraproject.org/wiki/SELinux
My opinions were formed by reading the documentation available
at nsa.gov concerning the goals of and means used by SELinux.
Neither the goals nor the means, as described by the originator
of SELinux, do I consider to be of value for my particular
situation. Since SELinux is not "small", and it has a pervasive
effect upon applications (the docu you point to mentions
approximately 50 apps required change, not to mention the
kernel and libraries) it is not something which I wish to
install, let alone run. Having SELinux is sure to introduce
defects.
However, since you seem to feel that Fedora's description
might be more appealing for some reason, I went to the
link you suggest, and read everything under "Understanding
SELinux". After doing that, I find myself completely unmoved
in my position. In fact, the description I found there was
less informative than NSA's website.
Incidentally, the documentation you suggest
reading states both that most apps can remain "SELinux unaware"
and let the policy makers handle everything, and that
"leaving apps SELinux unaware" may lead to confusing the app
and user both, since all access rights may be correct, but
the app simply gets "access denied".
My understanding and opinion of SELinux' goals and means are both
unchanged.
If I had a huge installation of highly sensitive information
and needed to be able to tell my bosses that I was doing everything
I could to protect it, regardless of how really useful or effective
the techniques used would be, then I'd install and run SELinux.
We used to say "no one ever got fired for buying IBM".
For my machine, which has exactly one real user, and no sensitive
information on it at all (only private information), I believe
that the disadvantages far outweigh the advantages. There are
exactly three users which can actually log on to my machine:
root
me
bird
That last one is a user I created recently, and which runs
only in a chroot jail. I created it specifically for experimenting
with chroot.
It appears to me that RH is courting large corporate or government
users where political considerations and the ability to dodge
responsibility are important, rather than stand-alone small desktop
systems with single or just a very few actual users.
That's fine.
It does mean that RH products and their derivatives
are not appealing to me.
I think it would be better if they had the option simply not
to install.
I don't understand any rancor on any side of this issue.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
