SELinux Understanding
Sam Varshavchik
mrsam at courier-mta.com
Fri Oct 12 22:52:34 UTC 2007
Karl Larsen writes:
> While reading the man selinux I found the part that makes me think
> that this software may not be ready for a desktop user. Here it is:
It's not. Some time ago I made a good-faith effort to put together an
SELinux policy for ivtv and mythtv.
I gave up.
Let's begin with a complete lack of any usable documentation that comes with
the SELinux package itself. And the documentation on the web not just wasn't
helped, it was pretty clear that SELinux is long way from maturing.
NSA's original documentation wasn't too bad, you could follow it along.
After reading it a couple of times, you can get a fairly good grasp of
what's going on. But the real problem is that, it seems, over the last
couple of years, the stock SELinux policies have undergone some major
tumult. The SELinux software itself merely provides the infrastructure for
policy enforcement, and you'll need to put together an overall system policy
in order to use SELinux. It seems that there were several major attempts at
putting together an SELinux policy infrastucture, so whenever you come
across some documentation on the web, you have no idea of what specific
SELinux policy infrastructure it's talking about. And, of course, the
SELinux policies in Fedora do not appear to have much documentation, and
there's precious little in there that will tell you how you go about
defining SELinux policies for any new component, and how the existing
policies work, vis-a-vis plugging your own stuff in.
As I said, I gave up. Although I was certainly willing to lay down some
elbow grease, there was absolutely no visible roadmap I could follow,
whatsoever, so that was the end of it. I'll wait until SELinux documentation
matures.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20071012/2cd7e827/attachment-0001.sig>
More information about the fedora-list
mailing list