[chousuke]

I can't say what you were trying to do, but I've had to set up SELinux several times, and it's always been a fairly simple iterative process:

1. enable permissive mode

2. test application

3. check audit logs for any complaints

4. if no complaints, you're done. enable enforcing mode and test again.

5. otherwise, evaluate the complaints and fix the issues, either by tuning fcontexts (often, a simple path equivalency is enough if you're installing things on nondefault paths, as is common.) or by creating a custom policy module (audit2allow helps), then go to 2.

It's work you should do anyway. Securing an environment is part of setting it up.

[ghshephard]

The users/sysadmins I've known take the following process:

o Run Application

o Get weird error.

o Google the error, see someone mentioning "This is because of SElinux"

o Google how to "Disable SELinux"

I'm not saying that's what they should be doing, just saying it's what I've observed. What's nice about tame is - there is nothing to enable/disable, it's just part of software.

[mhurron]

That's pretty much the definition of lazy. Yes, its one more thing that needs to be learned but that is part of the job.

> What's nice about tame is - there is nothing to enable/disable, it's just part of software.

And what's nice about SELinux (if you learn it) is it applies to the system and everything running on it whether or not it's been written for it. You can even put it in a logging only, and use those logs to generate the needed policies. SELinux will tell you what is going on.

What you point out as nice about tame() means that nothing will use it except what is in the core of OpenBSD.

[ghshephard]

Completely agree with you that SELinux is a better general solution, applies to a broader community of software, and that users, and certainly sysadmins, should take the time to understand how it works, generate policies for the software they use, and take advantages of the security that it provides.

[throw7]

Years ago when I was trying to simply grok selinux, I ran into the dontaudit rules. That was very frustrating and hair pulling day. I had and have no problem disabling selinux to this day.