[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: No more selinux-policy-*-sources

smooge gmail com ("Stephen J. Smoogen") writes:

>> Finally, one fundamental problem, probably most users ask them
>> themselves: Is coping with all the issues SELinux causes worth the
>> effort, and does it really help the user?
>> I guess, all Fedora users have been fighting with SELinux at some point
>> in time, but probably nobody or at least very few have seen SELinux
>> preventing damage from a system in real world installations.
> I can say that is false. Yes, I had some problems, but instead of
> turning it off I took the time to learn what it wanted.

I took the time to learn how to write SELinux rules and adopted a system
(e.g. chrooted ntpd, non-FC dhcp relay agent). But after each 'yum upgrade'
which installed a new kernel or a new policy I got lot of policy errors
(new/unknown roles, incompatible labels, time consuming relabels or even
reboots were needed for the policy userspace packages) so that I had to
spent a lot of time to fix SELinux issues.

Finally, I found that it is not worth the trouble and turned SELinux
off. Applications were and are protected by proper configuration,
traditional security measurements (non-root execution, chroots) and
easier to manage security models (Linux VServers).

SELinux is unsuitable for certain tasks (e.g. chroot operations) due to its
broken/non existent kernel API (requiring two filesystems and operating
with pathnames is not very efficient, difficultly/insecure and does not
work in chroots). SELinux seems to have a big performance impact too (I
remember numbers of 5-7% but did not measured them myself).

'cfengine' provides the largest attack vectors in my systems and I do
not see how SELinux can help to protect this program.


Attachment: pgpVrg8OhN1XS.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]