SELinux

Takehiko Abe keke at gol.com
Mon Aug 30 04:29:51 UTC 2010


 >> I would advise Patrick to disable Selinux. I've made that decision
 >> long ago because it gives me more problems when enabled that I can
 >> possibly solve. IMHO the user interface is so bad that selinux is
 >> unuseable for an ordinary enduser.
 >
 > So what is the purpose of SELinux ?

Theodore Tso put it very well:
http://lwn.net/Articles/252892/

|    In some environments, say if you are creating a system that will
|    handle classified data for the U.S. government, there are formal
|    requirements that your employer, the NSA, sign off on the
|    solution.  This allows the NSA to force the application
|    programmers and end users to make the tradeoff tilt very much
|    against convenience in favor of security.  And given the threat
|    models and capabilities of the adversaries involved, that's
|    probably appropriate.
|
|    But that's not necessarily appropriate for all users.  SELINUX is
|    so horrible to use, that after wasting a large amount of time
|    enabling it and then watching all of my applications die a
|    horrible death since they didn't have the appropriate
|    hand-crafted security policy, caused me to swear off of it.  For
|    me, given my threat model and how much my time is worth, life is
|    too short for SELinux.

And JWZ:

     http://jwz.livejournal.com/719608.html


More information about the users mailing list