SELinux
Takehiko Abe
keke at gol.com
Mon Aug 30 04:29:51 UTC 2010
>> I would advise Patrick to disable Selinux. I've made that decision
>> long ago because it gives me more problems when enabled that I can
>> possibly solve. IMHO the user interface is so bad that selinux is
>> unuseable for an ordinary enduser.
>
> So what is the purpose of SELinux ?
Theodore Tso put it very well:
http://lwn.net/Articles/252892/
| In some environments, say if you are creating a system that will
| handle classified data for the U.S. government, there are formal
| requirements that your employer, the NSA, sign off on the
| solution. This allows the NSA to force the application
| programmers and end users to make the tradeoff tilt very much
| against convenience in favor of security. And given the threat
| models and capabilities of the adversaries involved, that's
| probably appropriate.
|
| But that's not necessarily appropriate for all users. SELINUX is
| so horrible to use, that after wasting a large amount of time
| enabling it and then watching all of my applications die a
| horrible death since they didn't have the appropriate
| hand-crafted security policy, caused me to swear off of it. For
| me, given my threat model and how much my time is worth, life is
| too short for SELinux.
And JWZ:
http://jwz.livejournal.com/719608.html
More information about the users
mailing list