User: Password:
Subscribe / Log in / New account

SELinux and Fedora

SELinux and Fedora

Posted Jul 10, 2008 20:11 UTC (Thu) by sgros (subscriber, #36440)
Parent article: SELinux and Fedora

It's interesting to see how many people claim they are long time pro Unix admins and they
can't understand SELinux. What's worse, I get impression that they don't want to learn it. For
comparison, I'm aware of sysadmins that don't want LDAP because they don't understand it and
stick either with text files or at best with some SQL database.

Personally, I believe that SELinux is not the first, and certainly not the last frustration
for a _good_ sysadmin. Each new technology requires a period of learning, and that's
especially true with security technologies who sole purpose is to _restrict_ users!
Furthermore, as already one poster noted, Unix was simple, but it was when everything was
simpler and there was no Internet and so much attackers, malware and stupid users!

Not to say that SELinux is simple, but, it's not a rocket science either...

(Log in to post comments)

SELinux and Fedora

Posted Jul 11, 2008 0:34 UTC (Fri) by russell (guest, #10458) [Link]

Regardless of how good it is. It won't be effective unless people can use it.  Technically I'm
sure it's wonderful but the current situation with SELinux is that it's too complicated for
most people ( even good sysadmins ).  It will probably always be too complicated, it was
designed that way and that's a design floor not easily fixed.

To me it looks like the anti-virus software you see on other platforms.  It's a black box you
don't understand but are told you need.  It's reactive security, rather than fix the
underlying problem, just fence it off.  You are dependant on an external company for security
updates.  If it messes with something you need to do, the only option (sometimes) is to
disable it.

SELinux and Fedora

Posted Jul 12, 2008 14:10 UTC (Sat) by kleptog (subscriber, #1183) [Link]

I've found SELinux an interesting but somehow never worked out how it works. Most of my
experience is unexplained permission denied errors. In the comments there is mention of a
program that will tell you when something was denied by SELinux, which is a huge step forward.
I have got as far as labels being strings and files and processes have them, but how exactly
that leads to the controlling of permissions (the magic ingredient) still eludes me.

From recollection I don't think LWN has ever done an SELinux primer, for example.

I've found an 'SELinux for Dummies' and am quite a few articles in, but the magic ingredient
has not yet been revealed... At this point I'm guessing a database of some sort. I'm hoping at
some point some pseudocode will appear that describes exactly how it works.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds