selinux is a pain
Andreas M. Kirchwitz
amk at spamfence.net
Fri Sep 23 22:54:42 UTC 2011
Martín Marqués <martin.marques at gmail.com> wrote:
> I reinstalled (better hardware) a server and had selinux enabled (was
> disabled before), and I starting to see why so many people don't use
> selinux.
>
> My question is, how many people are using selinux?
SELinux is a mighty thing, but it's way too complex. It's missing
proper tools to manage it, and it's also not very well documented.
I used SELinux for years, but even for their own distribution,
the Fedora people never managed to maintain a SELinux policy that
just works with their own services.
Yes, all problems got fixed with updates of the SELinux policy packages
sooner or later, but until these updates were released, for every problem
I spend a lot of time to find workarounds so that I can use my computer
again (thanks to Red Hat's Bugzilla and all the other Fedora users with
the same problems).
SELinux on Fedora works okay if you use your computer as an end-user
workstation with the minimum of local services. But on such a system,
SELinux doesn't have much to do.
As soon as you enable services shipped with Fedora or even try to
install your own ones, you'll get into trouble eventually.
Yes, there are tools to scan SELinux log files and create exceptions,
but I ended up with hundreds of exceptions. And to be honest, I don't
understand what they do exactly. I cannot trust SELinux any longer.
That doesn't give me any additional security.
SELinux has wasted too much time of my life over the years,
so I decided to no longer use it. I keep my computers up to date
and configure them properly. If that isn't enough, bad luck.
SELinux is a nice concept, but for me it has failed because it's
not really usable.
Greetings, Andreas
More information about the users
mailing list