A great article on why to use SeLinux

Marko Vojinovic vvmarko at panet.co.yu
Sun Mar 2 13:16:23 UTC 2008


On Saturday 01 March 2008 19:43, Konstantin Svist wrote:
> Bruno Wolff III wrote:
> >
> > Yes there are tools to allow new rules to be added. There is at least
> > a command line tool to do this; I am not sure about a GUI tool.
>
> Yeah, but if I don't understand how any of it works, it's just as useful
> to me as the car keys are to a monkey.
[snip]
> The average Joe won't even go this far - in other words, he won't
> understand how to work with it - meaning it's NOT suited for desktops.

It isn't important to understand how it works, but what it does. I see regular 
woes about selinux here on the list, mostly from people who didn't bother to 
read the manuals (myself included for one thread). Just do

man semanage, man chcon, man restorecon

and find out that the whole thing behaves just as another layer of file 
permissions.

Windows converts are complaining about "those stupid permissions thing", and 
after a while they come to understand that it is actually a very useful 
concept. Old-school Linux people are complaining about "that stupid selinux 
thing", and after a while they also come to a similar conclusion --- selinux 
is very useful, and it is no harder to configure than traditional unix file 
permissions. At least I came to that conclusion. :-)

Let's face it --- once upon a time we all needed to invest some energy to 
learn what chown, chgrp and chmod are for, and how to use them. Now we simply 
need to do the same for chcon. There is a learning curve for chcon like there 
was for the other ch* commands, but it pays off in the end. And I hope that 
soon enough selinux will become locked into enforcing mode with no ability to 
be shut down, just like ordinary permissions are impossible to turn off. Not 
running selinux should be considered a security risk in complete analogy with 
not having permissions implemented on a system.

It's the same thing. Learn how to manage it, discipline yourself and live with 
it. Otherwise, turn off selinux, turn off iptables, log in as root, and pray 
that your system doesn't get compromised, like Windows users.

My 2 cents... ;-)

Best, :-)
Marko




More information about the fedora-list mailing list