Re: A great article on why to use SeLinux

On Saturday 01 March 2008 19:43, Konstantin Svist wrote:
Bruno Wolff III wrote:

Yes there are tools to allow new rules to be added. There is at least
a command line tool to do this; I am not sure about a GUI tool.

Yeah, but if I don't understand how any of it works, it's just as useful
to me as the car keys are to a monkey.
[snip]
The average Joe won't even go this far - in other words, he won't
understand how to work with it - meaning it's NOT suited for desktops.

It isn't important to understand how it works, but what it does. I see regular
woes about selinux here on the list, mostly from people who didn't bother to
read the manuals (myself included for one thread). Just do

man semanage, man chcon, man restorecon

and find out that the whole thing behaves just as another layer of file
permissions.

Windows converts are complaining about "those stupid permissions thing", and
after a while they come to understand that it is actually a very useful
concept. Old-school Linux people are complaining about "that stupid selinux
thing", and after a while they also come to a similar conclusion --- selinux
is very useful, and it is no harder to configure than traditional unix file
permissions. At least I came to that conclusion. :-)

Let's face it --- once upon a time we all needed to invest some energy to
learn what chown, chgrp and chmod are for, and how to use them. Now we simply
need to do the same for chcon. There is a learning curve for chcon like there
was for the other ch* commands, but it pays off in the end. And I hope that
soon enough selinux will become locked into enforcing mode with no ability to
be shut down, just like ordinary permissions are impossible to turn off. Not
running selinux should be considered a security risk in complete analogy with
not having permissions implemented on a system.

It's the same thing. Learn how to manage it, discipline yourself and live with
it. Otherwise, turn off selinux, turn off iptables, log in as root, and pray
that your system doesn't get compromised, like Windows users.

My 2 cents... ;-)

Best, :-)
Marko

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: OOO broken
    ... SELinux is enabled, this may solve your problem ... I use only standard F7 packages; I still don't have OOo 2.3, so, your ... command doesn't work. ...
    (Fedora)
  • Re: Copy EVERYTHING
    ... Are you using SELinux at all? ... If so then I don't think that command ... will copy the SELinux file contexts. ... you'll have to do that manually as well with chcon. ...
    (Fedora)
  • Re: 2 pc network - cant see host files from pc 2 on pc 1
    ... > Enable it on both computers and use the command ipconfig /all to make sure ... > permissions. ... > user account and/or change the password for a user account. ... It continuously states the windows ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Setting permissions
    ... Permissions or folder Permission, etc? ... the CACLS command for you: ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: [PHP] (SOLVED) /etc/php.init changes not honored
    ... The problem turned out to be selinux. ... Access Control (MAC, enhanced permissions using contexts). ... Create a file with the right permissions / context. ... In phpinfo() output, PHP tells you where it is looking for its php.ini ...
    (php.general)