[Techtalk] Fedora Core 3 and SELinux
Matthew Miller
mattdm at mattdm.org
Wed Nov 10 01:39:34 EST 2004
On Tue, Nov 09, 2004 at 08:06:58AM +1100, Kathryn Andersen wrote:
> > There are several valid reasons to not like SELinux.
> I'm curious to find out what these other reasons are...
Fair enough. :)
First, there's the performance hit that Wim mentioned. The SELinux people
say it's somewhere around 7%.
There's also some patent concerns -- as I understand it, the people
contracted to work on the project originally actually have some patents on
the technology involved, and they've stated that SELinux infringes but that
they'll look the other way -- *not* that there's a patent license of any
sort. Something may have been resolved here since I last looked, and the
patents in question are old and do expire in a couple of years -- but still,
a concern.
My main complaint, though, is that it's way too complicated. Any security
feature which any accomplished sysadmin can't grok in 15 minutes should be
looked at with suspicion. And it took me a lot longer than that to
understand the basics, and I'm pretty sure I'm not actually up to 'grok'
level yet.
This is partly an issue with the documentation -- there's plenty of room for
someone to write a nice easy-to-read primer. But it's also intrinsic -- the
policy definition files are _not_ learner-friendly.
And it's is a concern beyond just learning. Even someone who knows what
they're doing would need to read the policies on a given system to
understand what's going on. It's a lot worse than, say, reading a
complicated iptables filter [1]. That's not good for a security feature --
transparency is important.
And finally, I find the standard implementation of various names with
underscore_letter (like "user_r") to be really ugly. And I think "hey,
you're making my elegant Unix system look gross" is a pretty legitimate
complaint.
....
[1] although I guess not as bad as sendmail.cf.
--
Matthew Miller mattdm at mattdm.org <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
More information about the Techtalk
mailing list