| |||||||||||||
|
| |||||||||||||
Not reallyNot reallyPosted Jul 10, 2008 7:19 UTC (Thu) by nix (subscriber, #2304)In reply to: Not really by khim Parent article: SELinux and Fedora
Well, yes, but when it hurts normal admins it has *failed*: that's a false positive, because it's blocking someone who is *not* an attacker.
(Log in to post comments)
Not really Posted Jul 10, 2008 7:34 UTC (Thu) by edomaur (subscriber, #14520) [Link] What I think is utterly useless, is the way error messages are written. The "access denied" message doesn't give enough information to really help. Generally speaking, I do not work with SELinux because it is too much work to do the easy part of securing a server. But when I have no choice and _must_ use SELinux, one of the first thing I do is tagging its error messages with a nice "[SELINUX]" sticker. Much headache can be avoided... There is also the problem of the complexity of SELinux : ok, this is a very good security framework, but it is too hard to explain and to use to/by a casual sysadmin (which is somewhat common). If someone doesn't want to be bothered with learning the intricacies of SELinux, he will just disable the policies, or switch to a distro without SELinux enabled by default.
Not really Posted Jul 10, 2008 10:16 UTC (Thu) by lysse (guest, #3190) [Link] Heh - can't help thinking of the state of American airports here... perhaps there are a couple too many "security-first" people who would class such high visibility as a success? ;)
|
|
||||||||||||