selinux rant, compressed version (Was Re: kernels won't boot)
David Zeuthen
david at fubar.dk
Thu Jan 3 20:43:26 UTC 2008
On Thu, 2008-01-03 at 14:45 -0500, Dimi Paun wrote:
> On Thu, 2008-01-03 at 14:09 -0500, David Zeuthen wrote:
> > I'm not running SELinux enforcing mode on any of my machines..
>
> That's too bad -- it's hard to gage the usability of a system
> without it on, since it is enabled by default for most people.
Well, the kernel bits of SELinux is great. The user space bits never
ever worked for me; neither as a user, nor RPM package maintainer and
definitely not as an upstream developer of highly modular software that
is designed to be locked down (e.g. hald and it's helper processes)
Some problems from a 50,000 feet point of view
- the policy is way too complicated; really, I think it's kinda futile,
at this point, to attempt to lock down bits that are not even
network-facing.
As a result someone decided "oh, we're just going to let people turn
of it". And this is where we are now. Total cop out. Might as well
not ship it.
Seriously. Just go ahead and look at the policy. No wonder it often
doesn't work given it's so complex.
- the policy is centrally maintained; e.g. the maintainer of the policy
for hald (Dan Walsh) and, hey, all of the policy often have to guess
how to lock things down and often, despite Dan being a great
engineer, these guesses are just wrong. Seriously, no one can blame
Dan for this - you cannot expect a single person to know all the
kinks of all the software in Fedora.
-> Ideally every upstream project can maintain it's own policy. That
has the nice side effect of, gosh, teaching other distributions
about the benefits of MCA.
-> If upstream don't want to include SELinux policy, just include
it as a patch in the RPM
Typical responses:
- "rpm cannot handle SELinux policy": <- bullshit; it's not much
different from other file meta data; do we store file modes and
permissions centrally too? No.
- "uh, then you would have deps on policy": Like, for example, the
policy for hald would depend on the policy for, say, dbus. Not
a problem, the real world contains dependencies already and most
these deps are handled just fine already by the upstream
projects.
I'm not even going to go into the language used for defining policy.
In short, SELinux just doesn't work for me. I'm not denying it may work
well on a tightly-controlled servers where features never change (e.g.
RHEL).
David
More information about the fedora-devel-list
mailing list