"Many" happy selinux users nowadays
Andy Green
andy at warmcat.com
Fri Sep 21 08:44:37 UTC 2007
Somebody in the thread at some point said:
> On Fri, 2007-09-21 at 11:47 +0530, Rahul Sundaram wrote:
>> Ralf Corsepius wrote:
>>
>>> If SELinux was transparently working (Which it doesn't on Fedora on many
>>> situations), nobody would name it "infection".
>> Pretty much every security solution has had a history of such problems.
> Well, then better acknowledge these facts and stop reiterating RH's
> marketing slogans.
>
> Many Fedora users, have had encounters/clashes with SELinux, so at least
> this group of people knows that SELinux has not matured to a stage that
> it is working transparently. We _know_ that SELinux can prevent systems
> from operating, no matter what RH marketing wants to tell us.
Well "many" is hard to quantify compared to using it for "many with
problems" and the completely silent majority I think we will find, of
"many without problems" nowadays.
> acceptable and usable shape. Still you will find many people who switch
> firewalls off, on certain situations (I do so on my home network's
> clients. My server has them turned on).
It's obviously up to you how you deal with that, but I strongly believe
that you can't inherently trust machines on any internal network any
more than those outside. There was an interesting thread about this on
Full Disclosure the other week with some guy going on about how he would
heroically jump in the way of any foreign "cyber attack" from boxes in
$COUNTRY and lend his powers to repelling it, etc. A guy replied
shortly pointing out that the attack comes from the machine next to you,
not some easily identified foreign box. And that is exactly what we see
with worms and viruses.
>>> => This is users complaining about SELinux's usability, based on their
>>> personal experiences with the Fedora implementation.
>> Atleast on Mike McCarty's case he has no personal experience with it.
>> Users have mixed opinions as always.
>>
>>> If SELinux was such an "terrific and compelling approach", upstream
>>> Linux and other distros would have adopted it _years ago_ with standing
>>> ovations - Fact is: Nobody did.
>>> => This is developers and maintainers having doubts on SELinux.
>> Sure. Technology changes like this take time. Lilo vs GRUB. Static dev
>> vs udev as other relatively fundamental changes have also taken time for
>> distributions to adopt.
> Yes, and whether you want to accept it or not, these steps still are arguable.
You have to mix in the level of grief to implement it. For example
everyone keeps agreeing that the initscripts and especially shutdown can
be made MUCH better, but it's so frightening to take care of everything
with minimal breakage that somehow Fedora doesn't seem to get anywhere
with it (over years).
-Andy
More information about the fedora-list
mailing list