On Sun, 2008-03-02 at 13:16 +0000, Marko Vojinovic wrote: > It isn't important to understand how it works, but what it does. I see regular > woes about selinux here on the list, mostly from people who didn't bother to > read the manuals (myself included for one thread). Just do > > man semanage, man chcon, man restorecon Those are useful pointers, thanks. > and find out that the whole thing behaves just as another layer of file > permissions. Some of the rules in selinux concern bad programming habits. It's not quite the same as permissions, because there is a choice; when something breaks, do I complain to the person who wrote the program? Yes, I should, but this doesn't solve the problem, it still doesn't work. Or should I chcon or do some other magic that makes the problem go away? The problem is still there, though. Yes, I should actually do both of these things. Of course, in my environment there is a big firewall around the whole place, and my little network doesn't see these threats. So it's not quite the same as permissions. It's more, this pile of software, which we cannot do without, despite that it was badly written ten or fifteen years ago but with good intent, needs to work please, now. Dr. Tom -- It is nobler to declare oneself wrong than to prove oneself right, especially when one is right. Only, one must be rich enough to do so. Thus spoke Zarathustra.
