| 1 |
Sid S <r030t1@×××××.com> writes: |
| 2 |
|
| 3 |
> your distribution probably comes |
| 4 |
> with policies for everything you want to install, anyway... |
| 5 |
|
| 6 |
...until it doesn't, and then what? |
| 7 |
|
| 8 |
I attempted a full conversion a few months back, and was ready to make |
| 9 |
some commitment to getting SELinux to work on my personal laptop. I got |
| 10 |
as far as Permissive mode, with a firehose of access violations in the |
| 11 |
auditd log. I had written a couple of scrappy policies to authorize a |
| 12 |
few small one-off violations, with the help of audit2allow, but the |
| 13 |
firehose was still gushing. |
| 14 |
|
| 15 |
I use offlineimap for fetching mail, which doesn't have a policy. Now, |
| 16 |
if I ever wanted to switch from Permissive to Enforcing, I was required, |
| 17 |
as an absolute SELinux n00b, to write a full policy for a non-trivial |
| 18 |
mail application. This is when I turned around. |
| 19 |
|
| 20 |
I could have half-assed it with audit2allow, but security-wise that's a |
| 21 |
cop-out. |
| 22 |
|
| 23 |
Inevitably, there will always be some program I want to use with no |
| 24 |
existing policy, and I'll constantly have this problem. |
| 25 |
|
| 26 |
I realized that my personal workstation is a place I like to try lots of |
| 27 |
software (don't we all like that about Linux?), and SELinux can be a big |
| 28 |
wet blanket on the fun at any time. |
| 29 |
|
| 30 |
I'd like to find a middle ground, and it might be Targeted mode (I was |
| 31 |
attempting Strict). Or, it might be a different system like AppArmor. |
| 32 |
-- |
| 33 |
Erik Mackdanz |
Archives