On Mon, Aug 30, 2010 at 8:15 PM, JB <jb.1234abcd@xxxxxxxxx> wrote: > Well, if selinux is the best that happened to security since sliced bread, then > why people make these comments ? > > http://en.wikipedia.org/wiki/Security-Enhanced_Linux > ... > Overall, the reception to SELINUX has been mixed in the Linux community with > various sys-admins preferring to stay away from it because of the usage issues. > ... > > http://articles.techrepublic.com.com/5100-10878_11-6156411.html > ... > SELinux is a mystery to a lot of people. During Linux installation, most > administrators either disable the feature or turn it on without knowing exactly > what it will do to their systems. > ... The learning curve is relatively high. When I first deployed it, it took a couple days of experimentation to get it to where apps weren't complaining. Once it's done though, it has been pain free. Interesting note is that if you check through the Bugzillas, there are a few security errata that SELinux will prevent from being exploitable. The default configurations are getting a lot better as they now set the proper contexts. I remember not long ago application installations would often fail because the firewalls weren't configured at the same time. SELinux may be the same way. The major apps are ready, but total acceptance may not happen until the RPM/yum tools can auto-magically set the proper contexts or at least do some of the initial grunt work in getting the app to work. It's happening though... The audit subsystem is in a similar situation. Initially it was a PITA to configure. A front-end tool would make things simpler rather than editing rules directly and may drive acceptance. The thing is, with heightened PCI awareness and more stringent requirements, it's only a matter of time. auditd is a requirement. iptables is a requirement. So is anti-virus, configuration management, and rigid authentication policies. ACLs will probably become a requirement. SELinux is required on some systems. Only a matter of time... -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
