A great article on why to use SeLinux
Marko Vojinovic
vvmarko at panet.co.yu
Sun Mar 2 13:16:23 UTC 2008
On Saturday 01 March 2008 19:43, Konstantin Svist wrote:
> Bruno Wolff III wrote:
> >
> > Yes there are tools to allow new rules to be added. There is at least
> > a command line tool to do this; I am not sure about a GUI tool.
>
> Yeah, but if I don't understand how any of it works, it's just as useful
> to me as the car keys are to a monkey.
[snip]
> The average Joe won't even go this far - in other words, he won't
> understand how to work with it - meaning it's NOT suited for desktops.
It isn't important to understand how it works, but what it does. I see regular
woes about selinux here on the list, mostly from people who didn't bother to
read the manuals (myself included for one thread). Just do
man semanage, man chcon, man restorecon
and find out that the whole thing behaves just as another layer of file
permissions.
Windows converts are complaining about "those stupid permissions thing", and
after a while they come to understand that it is actually a very useful
concept. Old-school Linux people are complaining about "that stupid selinux
thing", and after a while they also come to a similar conclusion --- selinux
is very useful, and it is no harder to configure than traditional unix file
permissions. At least I came to that conclusion. :-)
Let's face it --- once upon a time we all needed to invest some energy to
learn what chown, chgrp and chmod are for, and how to use them. Now we simply
need to do the same for chcon. There is a learning curve for chcon like there
was for the other ch* commands, but it pays off in the end. And I hope that
soon enough selinux will become locked into enforcing mode with no ability to
be shut down, just like ordinary permissions are impossible to turn off. Not
running selinux should be considered a security risk in complete analogy with
not having permissions implemented on a system.
It's the same thing. Learn how to manage it, discipline yourself and live with
it. Otherwise, turn off selinux, turn off iptables, log in as root, and pray
that your system doesn't get compromised, like Windows users.
My 2 cents... ;-)
Best, :-)
Marko
More information about the fedora-list
mailing list