selinux is a pain
Tom Horsley
horsley1953 at gmail.com
Tue Sep 20 12:07:38 UTC 2011
On Tue, 20 Sep 2011 19:37:04 +0800
Ed Greshko wrote:
> Other than the occasional need for a custom policy I've not had any problems.
And did you perform an intensive security review of the source for the
program requiring the custom policy to insure that it is in fact
perfectly OK to allow whatever the heck selinux was disallowing?
Or (as I suspect is far more likely :-) did you just say, "OK, I need
to run this program, so I'll allow that."
And, of course, the standard selinux policy files shipped with fedora
have grown in the exact same fashion. The reason most folks don't
have problems with selinux any longer is that all the quirks and
foibles of all the programs shipped with fedora have gradually
been added to the policy files, almost certainly without any
of the intensive security reviews of the source which would make
it marginally safe to allow those behaviors. (Because if the
source had gone through that kind of review, they'd still be
working on the 1st policy exception :-).
So basically, you can get a system which is every bit as secure
as one running selinux by turning off selinux, and then you don't
ever get bothered by the "occasional need" to write a custom
policy, or get fooled into a sense of security because you
have selinux turned on.
More information about the users
mailing list