[cap-talk] System overheads - capabilities vs. SELinux (was: Re: Gnu Hurd status? Power box?)

Jed Donnelley jed at nersc.gov
Mon Mar 24 14:38:11 EDT 2008 

On 3/24/2008 10:28 AM, Jonathan S. Shapiro wrote:
> On Fri, 2008-03-21 at 14:58 -0700, Jed Donnelley wrote:
>> Of course the above focuses on system overhead - which is
>> important at some level.  However, from my perspective as a
>> systems administrator the SELinux controls have been essentially
>> impossible to support on any but the most trivial canned
>> systems.  I know of several administrators who have tried
>> and ultimately been forced to give up when there was just
>> too much admin. overhead created.
> 
> Interesting. I've been running SELinux without substantial difficulty
> for five years or so now. It is occasionally necessary to tweak the
> policy -- primarily in response to version drift -- but this is now
> fairly easy to do in a modular way.

That's interesting for me to hear.  May I ask what services
you are running on your SELinux system(s?)?  Do you have users
logging in to shell access (e.g. via ssh?)?  Which Linux
distribution are you using?

Most of our issues have been with integrating services
like Apache with PAM and LDAP and various user facilities
with "automated" administration mechanisms such as CFEngine,
though some occur also efforts at more automated systems
builds (kickstart/jumpstart).  Perhaps I should mention
that two of us in a "server" team admin. over 50 systems,
so we are quite sensitive to admin. overhead issues.

My own efforts were only a little less than five years
ago, so I guess we were working with comparable software.

If I could hear a bit more about your experience it might
encourage me or others to try again.  Thanks for any thoughts
you might have time to share.

When you say that "tweak"ing policy in response to version
drift is now fairly easy to do in a modular way, can you
be more specific?  How?

I wonder if there is an SELinux list where people discuss
such issues?  Anybody know of one?  That might be an interesting
place for me to check in.

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list