|
|
|
|
|
|
by LinuxBender
3480 days ago
|
|
|
Visibility is good, but I have found SELinux to be rather simple. Most applications can be automatically configured and supported by Ansible with SELinux enabled. Most community chef cookbooks also support SELinux to some degree (depending on how much you customize things). The default policy is "Targeted" which only protects Redhat supported applications by default. They even added the concept of unconfined users and types which makes management of the systems even easier. It's when folks try to overlay their custom apps into Redhat space that they get stuck. Overlaying your apps can be done, but you have to add the appropriate labels via semanage to the system. You can even add these custom rules in your custom rpm's. If you want to see the original complexity of SELinux, use the MLS policies, remove the unconfined users and types. That is the SELinux that the NSA wrote that folks mentioned here. Dan W. at Redhat made it significantly easier. Now you can even pass the soft errors from Permissive mode into tools like audit2why or audit2allow that will suggest Boolean you can enable, or rules you might create. He also adapted it to support systemd and containers to a degree. |
|
|