SELinux Understanding

Sam Varshavchik mrsam at courier-mta.com
Fri Oct 12 22:52:34 UTC 2007 

Karl Larsen writes:

>     While reading the man selinux I found the part that makes me think 
> that this software may not be ready for a desktop user. Here it is:

It's not. Some time ago I made a good-faith effort to put together an 
SELinux policy for ivtv and mythtv.

I gave up.

Let's begin with a complete lack of any usable documentation that comes with 
the SELinux package itself. And the documentation on the web not just wasn't 
helped, it was pretty clear that SELinux is long way from maturing.

NSA's original documentation wasn't too bad, you could follow it along. 
After reading it a couple of times, you can get a fairly good grasp of 
what's going on. But the real problem is that, it seems, over the last 
couple of years, the stock SELinux policies have undergone some major 
tumult. The SELinux software itself merely provides the infrastructure for 
policy enforcement, and you'll need to put together an overall system policy 
in order to use SELinux. It seems that there were several major attempts at 
putting together an SELinux policy infrastucture, so whenever you come 
across some documentation on the web, you have no idea of what specific 
SELinux policy infrastructure it's talking about. And, of course, the 
SELinux policies in Fedora do not appear to have much documentation, and 
there's precious little in there that will tell you how you go about 
defining SELinux policies for any new component, and how the existing 
policies work, vis-a-vis plugging your own stuff in.

As I said, I gave up. Although I was certainly willing to lay down some 
elbow grease, there was absolutely no visible roadmap I could follow, 
whatsoever, so that was the end of it. I'll wait until SELinux documentation 
matures.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20071012/2cd7e827/attachment-0001.bin

More information about the users mailing list