On Tuesday, August 31, 2010 01:15:15 JB wrote: > Well, if selinux is the best that happened to security since sliced bread, > then why people make these comments ? Umm, let me see... :-) (a) because SELinux has a learning curve; (b) because SELinux uncovers bad admin practices by breaking lousy configured apps, and thus uncovers admin incompetence; (c) because SELinux security policies needed some time to mature to a usable state; (d) because people don't like to give up their (bad) habits and accept more strict rules, even when those rules are for their own benefit. For example, the very first thing a Windows convert whines about in Linux is having to deal with those ugly stupid "rwxrwxrwx" things that make his life so miserable. And he hates having to learn about chown and chmod, let alone those dreaded man pages that are sooooo cryptic... But the fact that all Windows converts regularly whine about permissions doesn't make them right. Ditto for SELinux. As to your examples: > http://en.wikipedia.org/wiki/Security-Enhanced_Linux > ... > Overall, the reception to SELINUX has been mixed in the Linux community > with various sys-admins preferring to stay away from it because of the > usage issues. ... You missed to quote the wikipedia's "citation needed" tag at the end of this sentence. > http://articles.techrepublic.com.com/5100-10878_11-6156411.html This article is from 2007. A lot has changed since then. > http://www.linuxsecurity.com/content/view/129763 This article (and most of the comments) is from 2007. A lot has changed since then. > http://lwn.net/Articles/252588/ This article is from 2007. A lot has changed since then. (Am I repeating myself here?) > http://lwn.net/Articles/365224/ Aaah, this one is from December 2009, much more recent... :-) > SELinux ... It is a highly flexible system, but also highly complex; even a > minimal SELinux policy can involve thousands of rules. The complexity of > SELinux has almost certainly inhibited its adoption in the broader Linux > community; when SELinux gets in the way of real work, figuring out how to > fix it can be a nontrivial task. Over the years, many administrators have > concluded, like Ted Ts'o, that "life is too short for SELinux." How about continuing the quote into the next paragraph: "That said, Fedora and Red Hat have slowly made progress in using SELinux to confine parts of the system without creating too much user pain. And there is certainly a place for more comprehensive security models in general." > And I could go on and on ... I didn't bother to read the articles you quoted. First of all, they are just obsolete, given the time when they were written. Second, since SELinux was first introduced, I haven't seen a single reasonable and convincing argument against using it. People just whine that it's cryptic, that it gets in the way when they try to do something (wrong?), and that they don't like it. Those are not real and convincing arguments. The only critique that came even remotely close to reason was that running SELinux produces a performance penalty, while having no gain if the machine is not exposed to Internet. But in those cases one can just disable it to gain back the performance, provided that security is not an issue. All my current servers and desktops have SELinux in enforcing mode, and I haven't seen a single AVC denial for two years now (since Fedora 9, to be precise). The only exception was when a script-kiddie managed to guess a ssh password of one of my users, and then tried to escalate to root. The attack was unsuccessful mostly because of SELinux --- I saw a whole bunch of denials, and managed to recover from the intrusion without having to wipe&reinstall the whole system. That was my firsthand experience that SELinux is actually quite useful and effective. Of course, if you are smart enough to protect your system without SELinux, or stupid enough to believe you cannot benefit from its protection, feel free to disable it. You are also free to shut down the firewall, use your desktop from a root account, publish your root password on the web, etc. :-) Best, :-) Marko -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
