Alan Cox <alan <at> lxorguk.ukuu.org.uk> writes: > > > http://home.comcast.net/~tomhorsley/wisdom/braindump/selinux.html > > > > No doubt there are those who disagree though . > > Indeed - I think I'd consider a consultant who did that on my systems as > setting themselves up for a negligence lawsuit if the box got hacked. > > Alan Hi, Well, if selinux is the best that happened to security since sliced bread, then why people make these comments ? http://en.wikipedia.org/wiki/Security-Enhanced_Linux ... Overall, the reception to SELINUX has been mixed in the Linux community with various sys-admins preferring to stay away from it because of the usage issues. ... http://articles.techrepublic.com.com/5100-10878_11-6156411.html ... SELinux is a mystery to a lot of people. During Linux installation, most administrators either disable the feature or turn it on without knowing exactly what it will do to their systems. ... http://www.linuxsecurity.com/content/view/129763 Comments too much damn control Written by pauly on 2007-09-28 14:13:42 why should i have to undo controls just to use programs - its seen as unnecessary for the desktop and most people use desktops. SELinux Written by Jon on 2007-10-01 08:07:07 For desktop users it might take to much time to get working right, but all servers should have SELInux turned on. SELinux on a server Written by johnny on 2007-10-03 09:30:20 One compromise approach is to switch SELinux to permissive mode until it's settled down and nicely configured, and then switch back to enforcing mode and leave it that way until permissive mode is really needed during a major change to the server. Changes that big should be infrequent. Agreed that it needs to be simplified for desktop users. Often enough it's difficult enough just to configure and get a new subsystem up and running ... Written by Jim Dennis on 2008-04-10 12:38:24 ... adding SELinux over the top of that is just too onerous for the majority of professional sys admins (let alone normal users). (Even good admins periodically have to spend hours chasing down obscure permissions issues just using the stock 4 octets modes on normal UNIX files and directories). I wouldn't even consider deploying SELinux in an organization of any size or complexity without dedicating at least one full-time security specialist to managing its policies and supporting admins and developers through every new application deployment. That's an expectation which must be firmly and clearly set with management before they attempt any sort of SELinux adoption. http://lwn.net/Articles/365224/ SELinux ... It is a highly flexible system, but also highly complex; even a minimal SELinux policy can involve thousands of rules. The complexity of SELinux has almost certainly inhibited its adoption in the broader Linux community; when SELinux gets in the way of real work, figuring out how to fix it can be a nontrivial task. Over the years, many administrators have concluded, like Ted Ts'o, that "life is too short for SELinux." Here is that article by Ted Ts'o: http://lwn.net/Articles/252588/ ... Why do security people think they have the ability to dictate to application writers that they use specialized API's or write arcane security policies? And I could go on and on ... JB -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines