A great article on why to use SeLinux
Tom Holroyd
tomh at kurage.nimh.nih.gov
Sun Mar 2 13:34:53 UTC 2008
On Sun, 2008-03-02 at 13:16 +0000, Marko Vojinovic wrote:
> It isn't important to understand how it works, but what it does. I see regular
> woes about selinux here on the list, mostly from people who didn't bother to
> read the manuals (myself included for one thread). Just do
>
> man semanage, man chcon, man restorecon
Those are useful pointers, thanks.
> and find out that the whole thing behaves just as another layer of file
> permissions.
Some of the rules in selinux concern bad programming habits. It's not
quite the same as permissions, because there is a choice; when something
breaks, do I complain to the person who wrote the program? Yes, I
should, but this doesn't solve the problem, it still doesn't work. Or
should I chcon or do some other magic that makes the problem go away?
The problem is still there, though. Yes, I should actually do both of
these things. Of course, in my environment there is a big firewall
around the whole place, and my little network doesn't see these threats.
So it's not quite the same as permissions. It's more, this pile of
software, which we cannot do without, despite that it was badly written
ten or fifteen years ago but with good intent, needs to work please,
now.
Dr. Tom
--
It is nobler to declare oneself wrong than to prove oneself right,
especially when one is right. Only, one must be rich enough to do so.
Thus spoke Zarathustra.
More information about the users
mailing list