Quoting Hein Coulier <hein.coulier(a)infoco.be>:
> Don't get me wrong : i understand why redhat shouldn't be eager to
> strict policies. I also don't expect the problems to be generated by
> redhat, but by my 3rd party products : what if websphere (and our
> shop) stops running, or all our oracle databases in our 250 retail
> shops ?
> Even with support, damage in $ would be to big.
> I hope that in a few years, linux will become like a mainframe with
> security, and that it will be an evidence for all vendors that it's
> duty to provide the neccessary rules to protect and keep their
> systems and
> data available.
I'm looking at this from a bit different angle. User can do lots of
if only "standard" Unix access controls are used (file permissions and
ownerships). SELinux only brings this at more complex level. If it
complex for Red Hat (or any other vendor) to support it at standard
levels, they could have "advanced security release" of product that
strict policy with higher price tag (that would reflect higher support
costs). Users of cheaper products should be allowed to install strict
policy too, but if
they need support, they'd need to switch back to targeted policy or
"advanced security" version of product. I see nothing wrong with such an
> Best solution for me would be that rbac on userbase could be made
> in targeted policy.
I'm an total SELinux newbie (intend to improve on that), but yes, this
nice to have feature if possible. In my work environmnt, we work with
sensitive data, and we must have audit trail whenever some types of
touched (or we would fail external audits, which translates to lost jobs,
simple as that). Problem with using Linux so far was lack of good
tools. SELinux looked promising on the surface, but if I can have
only with strict policy, and RHEL doesn't support it, than Red Hat has
itself out of game. If it was possible to create "targeted"
rules in targeted policy, with audit logging (when access is granted),
would be good enough.
You can use the Audit Framework for watching certain files with or
Have you looked at auditd and auditctl.
> I think you're all doing a great job, and i still believe
selinux is the
> future. Keep up the good work.
I completely agree with this.
This message was sent using IMP, the Internet Messaging Program.
fedora-selinux-list mailing list