SELinux - a call for end-of-life.
JB
jb.1234abcd at gmail.com
Wed Sep 1 19:54:47 UTC 2010
Marko Vojinovic <vvmarko <at> gmail.com> writes:
>
> On Wednesday, September 01, 2010 18:29:13 JB wrote:
> > Please feel free to add some thoughts to my modest idea of the future
> > concept of security.
>
> Since you are apparently serious about this, let me try to help a little
> (remember, you asked for it! ...):
>
Thanks. It was my intention to induce a reaction to my post.
Your opinion is appreciated, regardless of whether friendly or not :-)
Remember, we do it here not only for ourselves, but for other people who are
sitting on the fences as well ...
>
> > - it should be configurable:
> > - by sys admin and user (selectively)
>
> Any system-wide configuration is done by root, or delegated by sudo. SELinux
> is not different here than any other security system in Linux.
>
I meant an option for a user to be able to select granularity of diagnostics.
There could be more user customization - we would let the users speak.
> ...
> > - dynamically
>
> I am not sure what you mean by this, because "dynamics" in general refers to
> "changing in time", which is already covered above.
>
Not exactly.
I meant like changing config on demand (in the spirit of on-demand/dynamic
loading of config modules, libraries, etc), with an immediate effect, w/o
additional steps (daemon restarts to reread config files, etc).
> ...
> > - it should be self-contained, installable and removable at any time,
> > without influencing the system
>
> No serious security system can run entirely in userspace, they are all
> implemented in the kernel. Standard UNIX permissions, firewall, SELinux, you
> name it. That said, SELinux and firewall can be enabled/disabled by root in a
> whim, while with the permissions system it is far from easy (to disable it one
> would need to do a filesystem-wide chmod and chown, while reenabling it
> afterwards is almost impossible).
>
Have you seen how many people asked about it (hint: search Google) ?
Why these pesky, little, *%#@$?! bugs want to do it ?
Can you remove SELinux as a package (not disable), completely and safely ?
How about by all related packages ?
# # rpm -qa | grep -i selinux
libselinux-python-2.0.90-5.fc13.i686
selinux-policy-targeted-3.7.19-51.fc13.noarch
selinux-policy-3.7.19-51.fc13.noarch
libselinux-2.0.90-5.fc13.i686
libselinux-utils-2.0.90-5.fc13.i686
Try it:
# yum remove *selinux*
Btw, you omitted other reasons people feel funny about this software. They
expressed their feelings in various posts here. I doubt it very much you
can change people's opinion (however irrational it may be) when it is based
on their ideological/philosophical grounds.
Thanks for sharing your opinion with us.
JB
More information about the users
mailing list