Sid S <r03...@gmail.com> writes: > your distribution probably comes > with policies for everything you want to install, anyway...
...until it doesn't, and then what? I attempted a full conversion a few months back, and was ready to make some commitment to getting SELinux to work on my personal laptop. I got as far as Permissive mode, with a firehose of access violations in the auditd log. I had written a couple of scrappy policies to authorize a few small one-off violations, with the help of audit2allow, but the firehose was still gushing. I use offlineimap for fetching mail, which doesn't have a policy. Now, if I ever wanted to switch from Permissive to Enforcing, I was required, as an absolute SELinux n00b, to write a full policy for a non-trivial mail application. This is when I turned around. I could have half-assed it with audit2allow, but security-wise that's a cop-out. Inevitably, there will always be some program I want to use with no existing policy, and I'll constantly have this problem. I realized that my personal workstation is a place I like to try lots of software (don't we all like that about Linux?), and SELinux can be a big wet blanket on the fun at any time. I'd like to find a middle ground, and it might be Targeted mode (I was attempting Strict). Or, it might be a different system like AppArmor. -- Erik Mackdanz
