using selinux to control user access to files

Erik Fichtner emf at obfuscation.org
Mon May 9 15:36:08 UTC 2005 

On Mon, May 09, 2005 at 11:25:09AM -0400, Valdis.Kletnieks at vt.edu wrote:
> On Mon, 09 May 2005 16:30:43 +0200, Hein Coulier said:
> 
> > That is a bummer !  I read that redhat (even in rhel5) is not supporting the
> > strict policy.  Since we're running a lot of 3rd party products (oracle,
> > websphere, openview, controlm, ...) , i doubt that managment will be willing
> > to take the risk of running unsupported.
> > 
> > I'll have to address my supperiors, but i fear it might be over-and-out for
> > selinux.
> 
> I remember seeing a statement on a RedHat page that their "lack of support" would
> basically mean "replicate your issue with enforcing=0 and then we'll talk",
> so things may not be as bad as all that...

And how, exactly, is that not equivilant to a complete lack of support
for SElinux policy?    If RH ships a .te/.fc pair for a particular
application, and it causes an application to break, they should be on
the hook for at least explaining why the application isn't functional.

Of course, having actually been using strict SE for a while, I
completely understand why RH isn't going to do this quickly.  Perhaps
over time they'll begin to support stock policy, but I fear it will be
quite a while. 

Until they do, though, SElinux is going to remain a toolkit for advanced
users who are already the least likely to be compromised, and will do 
nothing for raising the low-hanging fruit.

And if they're not going to support it, they might as well not ship it 
in RHEL.  Once you're running an unsupported configuration, one might
as well do it for free. ;)


-- 
Erik Fichtner; Unix Ronin

"Mathematics is something best shared between consenting adults
in the privacy of their own office" - Adam O'Donnell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20050509/8b4305bc/attachment.bin

More information about the selinux mailing list