James G. Sack (jim) wrote:
I haven't come to grips with SELinux yet (though I suspect I eventually
will), but I heartily concur with the statement about root.
I don't. I'm a seasoned systems admin, and I log in as root. I always
have. I always will. SELinux may be great for some things, for the
ultra-paranoid, and the necessity for things to be ultra-secure, but
honestly, in the real world 99% of the functionality just isn't needed
if you set your system up properly, with sane configurations and an
appropriate firewalling scheme.
Sample argument: I have finally come to appreciate the value of the
/var/log/secure in documenting system changes. Real Soon Now (tm), I'm
going to get these records into a database, so that I won't be so upset
next time I have to undo or redo something (like reconfigure after an
upgrade).
Uhhh, (confession) I still use a root shell, but just for looking at
stuff -- i swear!
I use mine for configuration, viewing log files, editing files owned by
root, etc. I can't be bothered to type 'sudo blah' before every command
I intend to execute as root (the main reason is that I despise entering
my password -- sure, you can configure ... NOPASSWD: ALL in
/etc/sudoers, but come on, how *insecure* is that?!)
OK, you Wise-Old-Wizards go-ahead and have your smug smile. I'm finally
starting to 'get it'.
Considering myself a "wise-old-wizard," perhaps I should prefix
"stubborn" to that.
Security, like most things, is all relative. You only employ as much as
you need. If your "security" is getting in the way and not affording you
any more protection than without, then it's a bad setup. End of story.
SELinux, in a lot of cases, is complete overkill. Don't get me wrong,
I'm glad it's there, and it does prove useful in certain situations, but
I can't *ever* see myself running a home machine without a root user, or
with SELinux even enabled, for that matter.
SELinux provides ACL-like ability for ext3 filesystems. If ext3 did
something standard, and, oh, supported POSIX ACLs, then a good half what
SELinux does in a lot of cases is moot.
I dunno, I just can't get excited about it. It's going to be one of
those schemes that pisses me off more often than not, and I don't like
that kind of thing getting in my and my users' ways.
-kelsey
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
