| 1 |
> ...until it doesn't, and then what? |
| 2 |
|
| 3 |
The comment was slightly off-topic and mainly pointed towards his |
| 4 |
decision to disable SELinux on a distribution which had enabled it by |
| 5 |
default. On Gentoo, if you enable SELinux, see all of the AVCs and |
| 6 |
decide to nope right out of there, you are making an informed decision |
| 7 |
(by virtue of needing to learn a great deal about SELinux to set it up |
| 8 |
in the first place). |
| 9 |
|
| 10 |
> I could have half-assed it with audit2allow, but security-wise that's a |
| 11 |
> cop-out. |
| 12 |
|
| 13 |
I'm not sure it's a complete cop-out as long as you read the |
| 14 |
suggestions audit2allow is making. The policy you end up with will not |
| 15 |
be ideal and will certainly be full of holes, but at least you are |
| 16 |
somewhat aware of the risk a given service is to your system. |
| 17 |
|
| 18 |
> I'd like to find a middle ground, and it might be Targeted mode (I was |
| 19 |
> attempting Strict). Or, it might be a different system like AppArmor. |
| 20 |
|
| 21 |
Yeah, my ending suggestion was to run in targeted mode (if you wanted |
| 22 |
to bother with SELinux at all) but that mainly serves as a workaround |
| 23 |
for Desktop-oriented stuff. Containers or virtualization are also |
| 24 |
options. |
Archives