A great article on why to use SeLinux
Konstantin Svist
fry.kun at gmail.com
Sat Mar 1 00:42:34 UTC 2008
klybear wrote:
> On Thu, 28 Feb 2008 09:31:05 +0900, John Summerfield wrote:
>
>
>> The only penetrations I've seen arrived by ssh. I don't think selinux
>> would have helped there; the sorts of restrictions I can think of would
>> also prevent the user from doing what users ought be able to do such as
>> download stuff (including email), sending email and so forth.
>>
>
> I'm new full time linux user, having temped with one or two distros in
> the past, and I have to say that my experience of selinux has been
> frustrating. I never had any Selinux issues with Ubuntu or Debian, but
> since using Fedora, three of the four problems I've solved so far turned
> out to be related selinux permissions and the fourth one I'm still
> working on :)
>
>
Although this is an unpopular opinion on this list, I have to second it.
So far, I've tried selinux ~3-4 times, and every time it has been a big
PITA:
Until my latest attempt, something refused to work altogether, so I
turned it off (that was back in the FC6 days and earlier). Granted, I
sometimes choose weird options (reiserfs) and/or installed binary
drivers (fglrx, ipw3945, etc...), but that's what users are expected to
do (philosophy aside).
Then, I've read up on it a little and decided to give it another try
with FC8. After install, everything seemed okay (only because nothing
was configured yet). It was only after I started to set up my stuff that
I started getting a bunch of errors.
After a few hours, I set it to warning-only mode (permissive?) and
started collecting the errors.
People mentioned on this list that selinux errors are fixed really fast
- so I decided why not submit a few into redhat bugzilla?
I had submitted 10 selinux-related bugs in November, and there are still
4 being worked on (3 of which are still marked as NEW)
- 2 of my 10 have been rejected:
* 1 as CANTFIX -- becase, apparently, setroubleshoot is not meant to be
read by mere mortals
* 1 as NOTABUG -- my fault for installing a compiled version of wine
instead of yum'd version (which was pretty far behind)
- 3 of them have been [sort of] fixed:
* 1 as CURRENTRELEASE
* 1 as VERIFIED -- not sure why it's not closed, even though I've
checked that it works with that date's -testing version of the selinux
rules.. maybe it never made it into release?
* 1 as MODIFIED -- assignee says it's fixed, but I have no way of
verifying it, as the bug happened randomly
- 1 is still at NEEDINFO -- my fault, but I don't really have the time
right now to re-enable selinux and sit around until it finishes
relabeling all my files...
It's true, a few of those got closed pretty quickly -- but it's the rest
that I'm annoyed about.
After a few weeks of waiting (and receiving the same error messages), I
simply turned off selinux altogether.
As far as I'm concerned, it's just not ready for prime time.
setroubleshoot was definitely a step in the right direction, but it's
still extremely hard to understand for the uninitiated. And when I
understand what's going on, it's still hard to do something about it.
// END_RANT
More information about the fedora-list
mailing list