selinux is a pain
Alan Cox
alan at lxorguk.ukuu.org.uk
Tue Sep 20 20:10:46 UTC 2011
> It`s that in the *real world*, getting the immensely-complicated policy
> machinery correct is next-to-impossible. And by correct, I mean
> ``provides security, and never causes unwanted failures of
> applications``.
For the web servers I'm running it was a simple matter of reading the
manual and relabelling the relevant content to indicate if it was web
accessible.
> A properly-configured Linux server, even without SELinux, but with other
> security features like firewalling turned on, is likely secure-enough
> in many environments.
In some perhaps. The big cases it helps are desktop (mostly protecting
against browser stuff) - where it usually just works, and web serving,
where it's most definitely valuable but does mean reading the docs.
Mind you people used to say weak passwords were ok, unencrpyted sessions
were ok, putting . in your path was ok, file permissions were a nuisance
so login as root.
The threat model has changed and continues to evolve.
More information about the users
mailing list