selinux is a pain

Ed Greshko Ed.Greshko at greshko.com
Tue Sep 20 13:12:29 UTC 2011 

On 09/20/2011 08:07 PM, Tom Horsley wrote:
> On Tue, 20 Sep 2011 19:37:04 +0800
> Ed Greshko wrote:
>
>> Other than the occasional need for a custom policy I've not had any problems.
> And did you perform an intensive security review of the source for the
> program requiring the custom policy to insure that it is in fact
> perfectly OK to allow whatever the heck selinux was disallowing?
> Or (as I suspect is far more likely :-) did you just say, "OK, I need
> to run this program, so I'll allow that."

I do not know what your definition of "intensive security review" is... 
But, yes a risk assessment were undertaken to determine why the sealert
was generated and the implications of generating a policy to allow the
program to run.  FWIW, I didn't do all the work personally in all
instances but in at least one case the code was changed as opposed to
creating a custom policy.
 
> And, of course, the standard selinux policy files shipped with fedora
> have grown in the exact same fashion. The reason most folks don't
> have problems with selinux any longer is that all the quirks and
> foibles of all the programs shipped with fedora have gradually
> been added to the policy files, almost certainly without any
> of the intensive security reviews of the source which would make
> it marginally safe to allow those behaviors. (Because if the
> source had gone through that kind of review, they'd still be
> working on the 1st policy exception :-).

I don't know if the assertion that you've made in this paragraph are
true or not.  I'm inclined to take what you've said as either an opinion
or maybe an "educated" assumption.
>
> So basically, you can get a system which is every bit as secure
> as one running selinux by turning off selinux, and then you don't
> ever get bothered by the "occasional need" to write a custom
> policy, or get fooled into a sense of security because you
> have selinux turned on.

It seems you are advocating to "just turn it off".?



-- 
Even if you do learn to speak correct English, whom are you going to
speak it to? -- Clarence Darrow

More information about the users mailing list