Hard problems

I was kind of surprised and also happy to see that Dan Kegel’s The C10K Problem is still being actively maintained after seven years (with recent updates covering Evgeniy’s kevent work). That’d have to make it one of the oldest active Linux documents on the Internet. Which is like how people describe volcanoes.

I’ve glanced through a copy of the new SELinux book, SELinux by Example, and it looks to be very comprehensive. I’d say it’s the best current resource on the subject.

FC6 will include some SELinux usability improvements, most notably, a new GUI desktop tool setroubleshoot, which was inspired by the idea of the Gnome Bug Buddy. The idea is to notify the user when something goes wrong (e.g. an AVC denial), and present them with a clear explanation and an easy means to do something constructive in response. In addition to the detailed design documentation at the above link, setroubleshoot has been blogged about by Karl MacMillan and Dan Walsh.

setroubleshoot alert
Setroubleshoot Alert.

There’s also a new facility for maintaining the correct labels on files, restorecond, which runs in the background and relabels files automatically in certain cases (e.g. for files being served by Apache). This is of course a trade-off between security and usability, and is entirely configurable via

/etc/selinux/restorecond.conf

It’s really great to see these kinds of improvements being made. Security is a hard problem, and such problems take a lot of time and effort to solve effectively. We’re getting there.