• 1

I must agree on the documentation / learning curve issue

I really have to agree with Daniel here: When I last tried to get SELinux to work for me, I already knew about some of the concepts behind SELinux, but still, even after two weeks of my spare time (i.e. about 20 hours) of fiddling with it and trying to understand the documentation, I gave up.
I admit though that I was trying to understand the policies by building a small policy just for a rather simple application from scratch (app reads some stats from /sys and /proc, accepts a tcp connection and writes out the stats to there). I "succeeded" in denying that application alone from doing anything, while allowing anything else to run without SELinux enforced restrictions, but that was it.
Oh well. I would love to really understand SELinux to the degree needed to configure it for custom applications, but I didn't have the time to dig into it for long enough, I guess. Or I didn't find the right howtos and docs.

Re: I must agree on the documentation / learning curve issue

You might have wanted to look at sandbox.

My goal was not to have third parties write policies to confine their apps, while that would be nice, that is not my goal. My goal is to have them install their apps and work with others so their apps will work without requiring SELinux or any other security measure to be disabled.

By default apps that SELinux does not know about should work as an unconfined domain, but if you have a plugin, you need to understand a little about SELinux to make sure your plugin does not break with SELinux in enforcing mode.

  • 1

Log in