Another selinux rant

Andrew Farris lordmorgul at gmail.com
Fri Jan 4 01:52:56 UTC 2008 

Ed Swierk wrote:
> For me learning SELinux seems as pointless as trying to remember
> iptables commands, or AFS trivia back when I was a student--all cause
> me trouble just infrequently enough to ensure I have to relearn them
> from scratch every time. If I were a full-time sysadmin of course it
> would be a different story, but I really don't have the brain cycles
> to remember anything more complicated than chmod and chown, and I
> suspect a large number of accidental sysadmins feel the same.

Selinux is (no argument) something that takes considerable time to start
figuring out... but basically you have to start by realizing nothing is going to
work right if the files aren't labeled as the policy expects them to be.  This
is precisely the same situation you have when file permissions are wrong and
nothing will work until you fix them (selinux policy is really just a more
complicated permissions system for who can use files and for what purpose).

When you started out with unices the permissions system probably took time but
it eventually sank in -- so will selinux unless you continue to ignore it.  Just
food for thought... I'm sure everyone knows it takes time, the question becomes
'is it important' and alot of people feel the answer is yes.

As the policies improve selinux will become hardly more complicated for general
use as chmod itself is... proper policy + proper label = just works.  Obviously
both of those need to be in place and are in progress; so disable it when you
must now but if you just ignore it long term its to your detriment.  Set it
permissive at minimum and keep the denial log messages for additional security
review if/when you really need it.  And finally, the ability to disable it is in
the distro precisely so that you can (so why the rant? you want to be forced to
enable it instead? you feel everyone should install without it enabled by
default forever and ever? you feel that selinux should disable itself when you
get denials that prevent you doing what you want? uhm that won't do).

-- 
Andrew Farris <lordmorgul at gmail.com> <ajfarris at gmail.com>
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----

More information about the fedora-devel-list mailing list