No more selinux-policy-*-sources

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Tue Mar 14 20:35:06 UTC 2006


smooge at gmail.com ("Stephen J. Smoogen") writes:

>> Finally, one fundamental problem, probably most users ask them
>> themselves: Is coping with all the issues SELinux causes worth the
>> effort, and does it really help the user?
>>
>> I guess, all Fedora users have been fighting with SELinux at some point
>> in time, but probably nobody or at least very few have seen SELinux
>> preventing damage from a system in real world installations.
>
> I can say that is false. Yes, I had some problems, but instead of
> turning it off I took the time to learn what it wanted.

I took the time to learn how to write SELinux rules and adopted a system
(e.g. chrooted ntpd, non-FC dhcp relay agent). But after each 'yum upgrade'
which installed a new kernel or a new policy I got lot of policy errors
(new/unknown roles, incompatible labels, time consuming relabels or even
reboots were needed for the policy userspace packages) so that I had to
spent a lot of time to fix SELinux issues.

Finally, I found that it is not worth the trouble and turned SELinux
off. Applications were and are protected by proper configuration,
traditional security measurements (non-root execution, chroots) and
easier to manage security models (Linux VServers).


SELinux is unsuitable for certain tasks (e.g. chroot operations) due to its
broken/non existent kernel API (requiring two filesystems and operating
with pathnames is not very efficient, difficultly/insecure and does not
work in chroots). SELinux seems to have a big performance impact too (I
remember numbers of 5-7% but did not measured them myself).

'cfengine' provides the largest attack vectors in my systems and I do
not see how SELinux can help to protect this program.




Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20060314/d1c6f69b/attachment.sig>


More information about the fedora-devel-list mailing list