SearchOpenSource.com: SELinux has earned a reputation
for being complex. What's being done in Red Hat Enterprise Linux 5
to ease that complexity?
"Karl MacMillan: As far as addressing
complexity, there are two challenges--to create policy and then to
deploy the policy. With the new loadable modules in RHEL5, the
focus is on the second problem. How does one ship the product to
third parties and allow administrators to make changes?
Essentially, what happens with Security-Enhanced Linux is in order
to address security issues that exist out there, you have to have a
mechanism that controls all access on a system. When you think of
normal Linux access control, you are dealing only with processor
access, file systems, control interfaces and networking, and they
are very far removed from the normal Linux access mechanism. For
example, even if you control access to writing files that MySQL
uses, MySQL is still attacked over the network or via
interprocessor communication. People aren't used to dealing with
all of the kinds of access that a complex program like MySQL needs,
and more importantly, the interaction between [the accesses] gets
complicated..."