Re: SELINUX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Alan Cox <alan <at> lxorguk.ukuu.org.uk> writes:

> 
> > http://home.comcast.net/~tomhorsley/wisdom/braindump/selinux.html
> > 
> > No doubt there are those who disagree though .
> 
> Indeed -  I think I'd consider a consultant who did that on my systems as
> setting themselves up for a negligence lawsuit if the box got hacked.
> 
> Alan

Hi,
Well, if selinux is the best that happened to security since sliced bread, then
why people make these comments ?

http://en.wikipedia.org/wiki/Security-Enhanced_Linux
...
Overall, the reception to SELINUX has been mixed in the Linux community with
various sys-admins preferring to stay away from it because of the usage issues.
...

http://articles.techrepublic.com.com/5100-10878_11-6156411.html
...
SELinux is a mystery to a lot of people. During Linux installation, most
administrators either disable the feature or turn it on without knowing exactly
what it will do to their systems.
...

http://www.linuxsecurity.com/content/view/129763
Comments
too much damn control   Written by pauly on 2007-09-28 14:13:42
why should i have to undo controls just to use programs - its seen as
unnecessary for the desktop and most people use desktops.

SELinux Written by Jon on 2007-10-01 08:07:07
For desktop users it might take to much time to get working right, but all
servers should have SELInux turned on.

SELinux on a server     Written by johnny on 2007-10-03 09:30:20
One compromise approach is to switch SELinux to permissive mode until it's
settled down and nicely configured, and then switch back to enforcing mode and
leave it that way until permissive mode is really needed during a major change
to the server. Changes that big should be infrequent.
Agreed that it needs to be simplified for desktop users.

Often enough it's difficult enough just to configure and get a new subsystem up
and running ...
Written by Jim Dennis on 2008-04-10 12:38:24
... adding SELinux over the top of that is just too onerous for the majority of
professional sys admins (let alone normal users). (Even good admins periodically
have to spend hours chasing down obscure permissions issues just using the stock
4 octets modes on normal UNIX files and directories).
I wouldn't even consider deploying SELinux in an organization of any size or
complexity without dedicating at least one full-time security specialist to
managing its policies and supporting admins and developers through every new
application deployment.
That's an expectation which must be firmly and clearly set with management
before they attempt any sort of SELinux adoption.

http://lwn.net/Articles/365224/
SELinux ... It is a highly flexible system, but also highly complex; even a
minimal SELinux policy can involve thousands of rules. The complexity of SELinux
has almost certainly inhibited its adoption in the broader Linux community; when
SELinux gets in the way of real work, figuring out how to fix it can be a
nontrivial task. Over the years, many administrators have concluded, like Ted
Ts'o, that "life is too short for SELinux."

Here is that article by Ted Ts'o:
http://lwn.net/Articles/252588/
...
Why do security people think they have the ability to dictate to
application writers that they use specialized API's or write arcane
security policies?

And I could go on and on ...
JB
                                                                               
                




-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux