On Mon, 30 Aug 2010 21:10:12 +0900, Takehiko Abe wrote:
> I've had exactly the opposite experience running SELinux,
even with
> hand- compiled applications from a variety of sources - including my
> own.
You say "the opposite" but you seem to have a lot of problems and spent
fair amount of time because of SELinux. And what you get in return?
Nothing except for a vague notion of "security".
I have not spent a large amount of time. Songbird and Mono are the only
two troublesome issues I've had since SELinux has been a part of Redhat/
Fedora.
I spent 1 hour (and one bug report) on Songbird. I abandoned it because
it ran poorly and had multiple SELinux issues. I did spend a few days off
and on with mod_mono and friends. I finally decided that even if I got
mod_mono running cleanly, any
C#.NET programming I needed to do (mostly
Java / .NET integration via SOAP) would be better done on Windows.
The NVidia issue is well known, documented, and actually mostly taken
care of in their install script.
Other minor issues, such as the cron file descriptor leak, are normal
bugs and taken care of pretty rapidly by the maintainers of various
packages.
As far as a vague notion of security, I have to confess I have not
studied SELinux, so I don't know the material in detail. It's on my list
of things to do, but right now I'm in the middle of working on portlets
(JSR 286), and some Tomcat configurations which I hope to write up. There
is just so much time in the day . . .
That being said, one of the particular things that SELinux does that I
like is preventing privileged applications from writing where it is
unexpected. For example, unless you specifically label a directory for
httpd, you'll get an SELinux denial (or warning if you run in permissive
mode) when httpd tries to read or write from directories not deemed safe.
If you're developing PHP and using the ~username/public_html option to
get around having to copy things over as root, this can be a bit of a
pain until you label your file system correctly.
However, this is a really valuable warning / denial. Many PHP frameworks
tend to write temporary files. It would be nice to have the system deny
those files if they're not in the expected places. Attackers subvert PHP
frameworks all the time. By preventing files getting written to
unexpected places, this makes the attack more difficult and the system
more secure.
I've not had my use of the system hampered or curtailed by SELinux. I'm a
pretty aggressive user. Right now I have an IDE (NetBeans), an editor
(emacs), firefox, thunderbird, gyachi, pan, a shell, streamtuner, and
audacious 2 running as this user. Sometimes I'll also have OpenOffice or
Pencil running. I have Apache and MySQL running in the background, and I
will be starting Tomcat 6.0.18 and Derby for testing soon (my portal
container has issues with Tomcat 6.0.29). I occasionally run IP aliases
to simulate multiple machines. Sometimes I'll fire up Google Earth when
events happen in another part of the world where friends of mine live.
While doing this, I have had absolutely no issue with SELinux. Any small
warning (haven't seen one in over a week) I can usually handle by issuing
the appropriate SELinux command. I always file a bug report so that
people can fix their programs. It's not much that I give back to Fedora
(I spend a lot more time on ASF software), but it's a start.
As another person has said, if a program gives multiple SELinux warnings
and seems to defy any simple attempts at file labeling as a fix, then
maybe it's a poorly written program. If the program maintainers are not
responsive to SELinux problems, then maybe the programmers have too much
on their plates to properly maintain their contributions. In any case,
there are almost always other packages that perform the same tasks
without the SELinux issues.
Of course, you always have the option of turning off SELinux. It's been
my experience that turning off SELinux is not necessary. Personally, I
like knowing when a potentially unsafe operation is happening on my
system. I actually learn a bit about security. I then change my habits
and become a more security-conscious user, programmer, architect, system
administrator.
Learning new stuff is not a bad thing. In fact, it's pretty fun.
. . . just my two cents
/mde/