[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20061227221251.GF17785@petra.dvoda.cz>
Date: Wed, 27 Dec 2006 23:12:51 +0100
From: Karel Zak <kzak@...hat.com>
To: Theodore Tso <tytso@....edu>, Arnd Bergmann <arnd@...db.de>,
linux-kernel@...r.kernel.org, Henne Vogelsang <hvogel@...e.de>,
Olaf Hering <olh@...e.de>, "H. Peter Anvin" <hpa@...or.com>
Subject: Re: util-linux: orphan
On Wed, Dec 27, 2006 at 03:42:13PM -0500, Theodore Tso wrote:
> On Wed, Dec 27, 2006 at 08:18:24PM +0100, Karel Zak wrote:
> > Frankly, it wasn't always easy to use SeLinux in previous FC
> > releases, but there is huge progress and I think it's much better in
> > FC6.
>
> I've never tried SELinux, but at one point there were all sorts of
> horror stories that if you enabled SELinux, the moment you installed
> any 3rd party software packages, whether it's Oracle or Websphere or
> some other commercial application program, the application would break
> because of all sorts of SELinux policy violations, and that it
> required an SELinux wizard to configure SELinux policy to enable a 3rd
> party application to actually work correctly. Given that I tried
> enabling SELinux, witnessed things break spectacularly and with no
> hints about how to fix things, I've always had the attitude of "life
> is too short to enable SELinux", and so my limited experience is
The level of security is always your choice. The real security is
pretty expensive and you have to invest your time to make your system
really safe. IMHO people who provides simple and cheap solutions are
liars or marketing-agents or both.
For example for my laptop is it true that "life is too short to
enable SELinux", but it's probably not true for servers in the bank where
I have money. (I hope so:-)
> consistent with all of the horror stories that I've heard.
>
> It sounds like SELinux has gotten better, according to your
I'm really occasional selinux enduser only. So don't ask me for
details.
> description. Will handle arbitrary 3rd party software without running
> wild, or is it still the case that the moment you want anything other
> than software that was shipped with the distribution, it's "abandon
> all hope, all ye who enter here"?
There is possible customization of the existing selinux policy. You
can generate a new loadable policy module from system audit logs (see
audit2allow util). In the other words -- your system in the permissive
mode is monitoring your 3rd party software and from the logs you can
generate new selinux rules. And when you switch system to the
enforcing mode the application should be run as expected with your
new rules.
Karel
--
Karel Zak <kzak@...hat.com>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists