SELinux - a call for end-of-life.

JB jb.1234abcd at gmail.com
Wed Sep 1 19:54:47 UTC 2010 

Marko Vojinovic <vvmarko <at> gmail.com> writes:

> 
> On Wednesday, September 01, 2010 18:29:13 JB wrote:
> > Please feel free to add some thoughts to my modest idea of the future
> > concept of security.
> 
> Since you are apparently serious about this, let me try to help a little 
> (remember, you asked for it!  ...):
> 

Thanks. It was my intention to induce a reaction to my post.
Your opinion is appreciated, regardless of whether friendly or not :-)
Remember, we do it here not only for ourselves, but for other people who are
sitting on the fences as well ...

> 
> > - it should be configurable:
> >     - by sys admin and user (selectively)
> 
> Any system-wide configuration is done by root, or delegated by sudo. SELinux 
> is not different here than any other security system in Linux.
> 

I meant an option for a user to be able to select granularity of diagnostics.
There could be more user customization - we would let the users speak.

> ... 
> >     - dynamically
> 
> I am not sure what you mean by this, because "dynamics" in general refers to 
> "changing in time", which is already covered above.
>

Not exactly.
I meant like changing config on demand (in the spirit of on-demand/dynamic
loading of config modules, libraries, etc), with an immediate effect, w/o
additional steps (daemon restarts to reread config files, etc).

> ...
> > - it should be self-contained, installable and removable at any time,
> > without influencing the system
> 
> No serious security system can run entirely in userspace, they are all 
> implemented in the kernel. Standard UNIX permissions, firewall, SELinux, you 
> name it. That said, SELinux and firewall can be enabled/disabled by root in a 
> whim, while with the permissions system it is far from easy (to disable it one 
> would need to do a filesystem-wide chmod and chown, while reenabling it 
> afterwards is almost impossible).
> 

Have you seen how many people asked about it (hint: search Google) ?
Why these pesky, little, *%#@$?! bugs want to do it ?
Can you remove SELinux as a package (not disable), completely and safely ?
How about by all related packages ?
# # rpm -qa | grep -i selinux
libselinux-python-2.0.90-5.fc13.i686
selinux-policy-targeted-3.7.19-51.fc13.noarch
selinux-policy-3.7.19-51.fc13.noarch
libselinux-2.0.90-5.fc13.i686
libselinux-utils-2.0.90-5.fc13.i686

Try it:
# yum remove *selinux*

Btw, you omitted other reasons people feel funny about this software. They
expressed their feelings in various posts here. I doubt it very much you
can change people's opinion (however irrational it may be) when it is based 
on their ideological/philosophical grounds.

Thanks for sharing your opinion with us.
JB

More information about the users mailing list