SElinux

[Bruno Wolff III]

On Sat, Apr 08, 2006 at 10:55:37 -0500,
  Robert Nichols <rnicholsNOSPAM at comcast.net> wrote:
> 
> Actually, I agree with you completely.  I've just found SELinux too
> painful to use.  I fought with it a long time in FC-3, almost had it
> working, but never managed to get permissive mode to stay quiet long
> enough to let me go to enforcing mode.  I looked at SELinux in FC-4
> to see what might have changed, but I never really did much with FC-4.
> Now I see that in FC-5 so much has changed that absolutely nothing
> that I learned how to do in FC-3 applies any more.  I'd be starting
> from scratch again.  Sorry, BTDT.  Sure, there are programs I'd like
> to confine, but SELinux just isn't a feasable way to do that unless
> you have an SELinux guru on call to set up and maintain your system.

I had it off in FC3, targetted in FC4, and now with FC5 I am going to try to
inflict mls on myself, on one of my machines.

I like targetted because it makes running publicly accessible daemons
a bit safer (and FC5 adds some other stuff there). However, I do use perl
scripts that need to be able to access a local database server or a remote
site and I keep projects in nonstandard directories, so I need to tweak
contexts. I still haven't figured out the best way to handle not breaking
things after a relabel.

I have both an interest in security and a distrust of commercial software
distributors (in particular game distributors) and would like to take the
next step of not having any unconfined (well, not using the unconfined_t
context) processes. And I figure I might as well go right to using the mls
policy even though I don't have much use for hierarchical security levels
at this time.

But I figure their will be some pain in doing this. I need to learn how to
efficiently get custom modules set up for applications, and need to figure
out how I want to maintain these modules as well as nonstandard file context
settings.