First SELinux impressions
Posted Apr 8, 2004 17:49 UTC (Thu) by dac
In reply to: First SELinux impressions
Parent article: First SELinux impressions
The complexity is a direct result of Linux being complex. There are over 30 object classes (e.g., files, dirs, sockets, etc.) with each one having some subset of the over 120 possible permissions. There is certainly a trade off in providing a system with the granularity to control every single permission for every object class.
SE Linux does not "leave gaping holes" no matter how misconfigured. An SE Linux policy that is wide open and allows all processes access to all objects is no worse than that system would be without SE Linux.
I think the immediate impact it can have on hardening a server is a big benefit. I agree with you somewhat from the perspective of desktop users trying to get a handle on the complexities.
to post comments)