User: Password:
|
|
Subscribe / Log in / New account

Your visual how-to guide for SELinux policy enforcement (opensource.com)

Your visual how-to guide for SELinux policy enforcement (opensource.com)

Posted Nov 14, 2013 22:35 UTC (Thu) by Henning (subscriber, #37195)
In reply to: Your visual how-to guide for SELinux policy enforcement (opensource.com) by NightMonkey
Parent article: Your visual how-to guide for SELinux policy enforcement (opensource.com)

In my experience, there is no big amount amount of time needed to set SELinux up. It is on by default and will not interfere in my daily routines or in any standard software install. I have also seldom felt that SELinux policies are incorrect and, in the few cases they have been problematic, it has been a small task to research and implement a workaround.
There might be some knobs you have to hit or some special directory labling you have to define as part of installing a certain software (for example a ftp server), but that is very little time spent on SELinux in comparison with the time spent on configuring the rest of the solution and making it secure.
SELinux helps me making sure that everything is working as intended and helps detect corner cases or oddities that might have been flaws or issues not thought of when designing the solution and that is well worth the extra time on SELinux for the few cases when it is needed.

I can agree that poorly designed software can be problematic to lock down but then you almost always have the option of running it unconfined while letting the rest of the system to benefit from the extra layer of security.

But, to me, disabling SELinux as a solution is basically the same response as setting the file permissions to 777 when stumbling on a file access problem. It will solve the problem and no time is needed to research the it, but there is usually a better and more well confined solution.


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds