kwan at digitalhermit.com
Tue Aug 31 20:41:36 UTC 2010
On Mon, Aug 30, 2010 at 8:15 PM, JB <jb.1234abcd at gmail.com> wrote:
> Well, if selinux is the best that happened to security since sliced bread, then
> why people make these comments ?
> Overall, the reception to SELINUX has been mixed in the Linux community with
> various sys-admins preferring to stay away from it because of the usage issues.
> SELinux is a mystery to a lot of people. During Linux installation, most
> administrators either disable the feature or turn it on without knowing exactly
> what it will do to their systems.
The learning curve is relatively high. When I first deployed it, it
took a couple days of experimentation to get it to where apps weren't
complaining. Once it's done though, it has been pain free. Interesting
note is that if you check through the Bugzillas, there are a few
security errata that SELinux will prevent from being exploitable.
The default configurations are getting a lot better as they now set
the proper contexts. I remember not long ago application
installations would often fail because the firewalls weren't
configured at the same time. SELinux may be the same way. The major
apps are ready, but total acceptance may not happen until the RPM/yum
tools can auto-magically set the proper contexts or at least do some
of the initial grunt work in getting the app to work. It's happening
The audit subsystem is in a similar situation. Initially it was a PITA
to configure. A front-end tool would make things simpler rather than
editing rules directly and may drive acceptance.
The thing is, with heightened PCI awareness and more stringent
requirements, it's only a matter of time. auditd is a requirement.
iptables is a requirement. So is anti-virus, configuration management,
and rigid authentication policies. ACLs will probably become a
requirement. SELinux is required on some systems. Only a matter of
More information about the users