Is is not that complex
Posted Sep 23, 2004 21:49 UTC (Thu) by erich
Parent article: An introduction to SELinux
It isn't that complex.
Granted, the tools could need a bit of polishing. For example when installing the initial policy, it will ask you for several dozens of files wheter you want to install them. For example you will be asked if you want to install "bind.te" and "bind.fc" (type enforcements and file contexts).
For most apps, such files have been written and work.
The more applications you run, the more rule sets you'll have to write on you own. Well, not totally on your own. There are a dozen of macros which will do most you need. So you end up writing single-liners which could be translated to english as "allow application foo to read files of type foo_static_data"
Hell, this is not that complex. A real MAC approach can't get much easier.
It's just the syntax that sucks. But i guess if they had used perl macros to generate the config files a different part of the users would complain.
(And you are free to use different tools to generate your rule files)
to post comments)