A great article on why to use SeLinux

Sat Mar 1 00:42:34 UTC 2008

klybear wrote:
> On Thu, 28 Feb 2008 09:31:05 +0900, John Summerfield wrote:
>
>   
>> The only penetrations I've seen arrived by ssh. I don't think selinux
>> would have helped there; the sorts of restrictions I can think of would
>> also prevent the user from doing what users ought be able to do such as
>> download stuff (including email), sending email and so forth.
>>     
>
> I'm new full time linux user, having temped with one or two distros in 
> the past, and I have to say that my experience of selinux has been 
> frustrating. I never had any Selinux issues with Ubuntu or Debian, but 
> since using Fedora, three of the four problems I've solved so far turned 
> out to be related selinux permissions and the fourth one I'm still 
> working on :)
>
>   

Although this is an unpopular opinion on this list, I have to second it.
So far, I've tried selinux ~3-4 times, and every time it has been a big 
PITA:
Until my latest attempt, something refused to work altogether, so I 
turned it off (that was back in the FC6 days and earlier). Granted, I 
sometimes choose weird options (reiserfs) and/or installed binary 
drivers (fglrx, ipw3945, etc...), but that's what users are expected to 
do (philosophy aside).

Then, I've read up on it a little and decided to give it another try 
with FC8. After install, everything seemed okay (only because nothing 
was configured yet). It was only after I started to set up my stuff that 
I started getting a bunch of errors.
After a few hours, I set it to warning-only mode (permissive?) and 
started collecting the errors.
People mentioned on this list that selinux errors are fixed really fast 
- so I decided why not submit a few into redhat bugzilla?

I had submitted 10 selinux-related bugs in November, and there are still 
4 being worked on (3 of which are still marked as NEW)

- 2 of my 10 have been rejected:
 * 1 as CANTFIX -- becase, apparently, setroubleshoot is not meant to be 
read by mere mortals
 * 1 as NOTABUG -- my fault for installing a compiled version of wine 
instead of yum'd version (which was pretty far behind)

- 3 of them have been [sort of] fixed:
 * 1 as CURRENTRELEASE
 * 1 as VERIFIED  -- not sure why it's not closed, even though I've 
checked that it works with that date's -testing version of the selinux 
rules.. maybe it never made it into release?
 * 1 as MODIFIED -- assignee says it's fixed, but I have no way of 
verifying it, as the bug happened randomly

- 1 is still at NEEDINFO -- my fault, but I don't really have the time 
right now to re-enable selinux and sit around until it finishes 
relabeling all my files...

It's true, a few of those got closed pretty quickly -- but it's the rest 
that I'm annoyed about.
After a few weeks of waiting (and receiving the same error messages), I 
simply turned off selinux altogether.
As far as I'm concerned, it's just not ready for prime time.

setroubleshoot was definitely a step in the right direction, but it's 
still extremely hard to understand for the uninitiated. And when I 
understand what's going on, it's still hard to do something about it.

// END_RANT