[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Another selinux rant

On Jan 3, 2008 4:29 PM, Ed Swierk <eswierk arastra com> wrote:
> For me learning SELinux seems as pointless as trying to remember
> iptables commands, or AFS trivia back when I was a student--all cause
> me trouble just infrequently enough to ensure I have to relearn them
> from scratch every time. If I were a full-time sysadmin of course it
> would be a different story, but I really don't have the brain cycles
> to remember anything more complicated than chmod and chown, and I
> suspect a large number of accidental sysadmins feel the same.

Well, if it's any consolation, there are those of us who really quite
appreciate SELinux. It's really not that intrusive in targeted mode --
I've been running my workstations in enforcing mode for the past 2
years, and it's only fairly rarely that I find something that's not
working because of SELinux. In these cases, if it's something that I
have to do on a one-off basis, I just do "setenforce 0" and then
"setenforce 1" when I'm done (or just leave it as is until next

Yes, SELinux is very complex, but that's because what it's trying to
do is also very complex. However, it's not insurmountable to learn.
Take it from someone who had to write an SELinux policy -- it took me
a week worth of effort to get to the point where it worked as
intended, but I finally got there. Once you wrap your brain around it,
it's fairly straightforward.

Konstantin Ryabitsev
Montréal, Québec

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]