On Tue, 20 Mar 2018 13:07:12 +0100 hw <hw at gc-24.de> wrote: ...> So what do you really gain from selinux, and is that worthwhile all > the trouble and the hours spent to fix the problems it creates? What > about the impact on performance?The main feature is that lots of software is indeed confined (even though your normal login or desktop remains unconfined). This is exactly what happens to exim in your case. It is exim_t not unconfined_t which means when/if it goes crazy (or is exploited) the damage can be limited. For some people it's also useful that it provides the ability to define user types (see "semanage user --list"). /Peter K
On 03/20/2018 01:42 PM, Peter Kjellstr?m wrote:> On Tue, 20 Mar 2018 13:07:12 +0100 > hw <hw at gc-24.de> wrote: > > ... >> So what do you really gain from selinux, and is that worthwhile all >> the trouble and the hours spent to fix the problems it creates? What >> about the impact on performance? > > The main feature is that lots of software is indeed confined (even > though your normal login or desktop remains unconfined). > > This is exactly what happens to exim in your case. It is exim_t not > unconfined_t which means when/if it goes crazy (or is exploited) the > damage can be limited.which is what access rights are for> For some people it's also useful that it provides the ability to define > user types (see "semanage user --list").How is this useful? It makes things much more complicated and more unmanageable. It still doesn?t allow me as a user to make it so that a program I?m running can only access the files I want it to access. Why isn?t that a common thing for users to do? Gimp doesn?t need to have access to my emails and fvwm doesn?t need to access anything but it?s configuration, etc.. Since those are common things, why doesn?t selinux do it --- and in such a way that it is easy to manage?
On Tue, 20 Mar 2018, hw wrote:> which is what access rights are forYes and no. You can run firefox and let it download files into the Downloads directory, but not elsewhere. You can run apache on port 80/443 but not let it open up a different port. You can stop apache reading files outside of its webroot even though they're readable by all users. You can't do all that with simple file permissions.> It still doesn?t allow me as a user to make it so that a program I?m running > can only access the files I want it to access. Why isn?t that a common thing > for users to do? Gimp doesn?t need to have access to my emails and fvwm > doesn?t need to access anything but it?s configuration, etc.. Since those > are common things, why doesn?t selinux do it --- and in such a way that it is > easy to manage?You want a *user* to be able to confine applications in this way, not an administrator? jh