Posted Jul 10, 2008 8:50 UTC (Thu) by jschrod
In reply to: Not really
Parent article: SELinux and Fedora
No, the problem of that PostgreSQL denial was not that the admin was unfamiliar with SELINUX and that it doesn't work different than on plain Linux.
The problem is actually many-fold, and can be nicely illustrated by the example that you cited:
- SELINUX forbids to use standard installation schemes. (Here: symlinking the location of a database to a different filesystem while keeping ownerships.) The security-related related disadvantage of that standard installation scheme is not obvious and there is no explanation delivered to the sysadmin why it is done that way and how to mitigate that problem / realize that standard installation scheme with SELINUX.
- The error message that are caused by SELINUX are worthless to identify the root cause of the problem. AFAIK, this is a configuration problem, but configuration problems are real problems, too.
- SELINUX documentation is often uncomprehensible for experiences Unix sysadmins with many decades of working experience, even if they try hard. IMNSHO, this is not a problem of the sysadmins, this is a problem of SELINUX.
- SELINUX proponents don't accept SELINUX's share of blame, but blame the user instead and imply that he isn't willing to adapt to new ways. And that even if the user tells them that he spent hours or even days trying to work out the new way. In fact, they tell their users that they are dumb. Guess what? Users don't like being (implicitly) called dumb. These proponents don't even seem to see that they alienate potential users with that behaviour and are actually one of the biggest dangers for SELINUX uptake.
Well, my 0.02 EUR on that topic.
to post comments)