klybear wrote:
On Thu, 28 Feb 2008 09:31:05 +0900, John Summerfield wrote:
The only penetrations I've seen arrived by ssh. I don't think selinux
would have helped there; the sorts of restrictions I can think of would
also prevent the user from doing what users ought be able to do such as
download stuff (including email), sending email and so forth.
I'm new full time linux user, having temped with one or two distros in
the past, and I have to say that my experience of selinux has been
frustrating. I never had any Selinux issues with Ubuntu or Debian, but
since using Fedora, three of the four problems I've solved so far turned
out to be related selinux permissions and the fourth one I'm still
working on :)
Although this is an unpopular opinion on this list, I have to second it.
So far, I've tried selinux ~3-4 times, and every time it has been a big
PITA:
Until my latest attempt, something refused to work altogether, so I
turned it off (that was back in the FC6 days and earlier). Granted, I
sometimes choose weird options (reiserfs) and/or installed binary
drivers (fglrx, ipw3945, etc...), but that's what users are expected to
do (philosophy aside).
Then, I've read up on it a little and decided to give it another try
with FC8. After install, everything seemed okay (only because nothing
was configured yet). It was only after I started to set up my stuff that
I started getting a bunch of errors.
After a few hours, I set it to warning-only mode (permissive?) and
started collecting the errors.
People mentioned on this list that selinux errors are fixed really fast
- so I decided why not submit a few into redhat bugzilla?
I had submitted 10 selinux-related bugs in November, and there are still
4 being worked on (3 of which are still marked as NEW)
- 2 of my 10 have been rejected:
* 1 as CANTFIX -- becase, apparently, setroubleshoot is not meant to be
read by mere mortals
* 1 as NOTABUG -- my fault for installing a compiled version of wine
instead of yum'd version (which was pretty far behind)
- 3 of them have been [sort of] fixed:
* 1 as CURRENTRELEASE
* 1 as VERIFIED -- not sure why it's not closed, even though I've
checked that it works with that date's -testing version of the selinux
rules.. maybe it never made it into release?
* 1 as MODIFIED -- assignee says it's fixed, but I have no way of
verifying it, as the bug happened randomly
- 1 is still at NEEDINFO -- my fault, but I don't really have the time
right now to re-enable selinux and sit around until it finishes
relabeling all my files...
It's true, a few of those got closed pretty quickly -- but it's the rest
that I'm annoyed about.
After a few weeks of waiting (and receiving the same error messages), I
simply turned off selinux altogether.
As far as I'm concerned, it's just not ready for prime time.
setroubleshoot was definitely a step in the right direction, but it's
still extremely hard to understand for the uninitiated. And when I
understand what's going on, it's still hard to do something about it.
// END_RANT
