1 |
Sid S <r030t1@×××××.com> writes: |
2 |
|
3 |
> your distribution probably comes |
4 |
> with policies for everything you want to install, anyway... |
5 |
|
6 |
...until it doesn't, and then what? |
7 |
|
8 |
I attempted a full conversion a few months back, and was ready to make |
9 |
some commitment to getting SELinux to work on my personal laptop. I got |
10 |
as far as Permissive mode, with a firehose of access violations in the |
11 |
auditd log. I had written a couple of scrappy policies to authorize a |
12 |
few small one-off violations, with the help of audit2allow, but the |
13 |
firehose was still gushing. |
14 |
|
15 |
I use offlineimap for fetching mail, which doesn't have a policy. Now, |
16 |
if I ever wanted to switch from Permissive to Enforcing, I was required, |
17 |
as an absolute SELinux n00b, to write a full policy for a non-trivial |
18 |
mail application. This is when I turned around. |
19 |
|
20 |
I could have half-assed it with audit2allow, but security-wise that's a |
21 |
cop-out. |
22 |
|
23 |
Inevitably, there will always be some program I want to use with no |
24 |
existing policy, and I'll constantly have this problem. |
25 |
|
26 |
I realized that my personal workstation is a place I like to try lots of |
27 |
software (don't we all like that about Linux?), and SELinux can be a big |
28 |
wet blanket on the fun at any time. |
29 |
|
30 |
I'd like to find a middle ground, and it might be Targeted mode (I was |
31 |
attempting Strict). Or, it might be a different system like AppArmor. |
32 |
-- |
33 |
Erik Mackdanz |