[CentOS] SELinux threads, cynicism, one-upmanship, etc.

Craig White craigwhite at azapple.com
Sat Nov 19 17:40:07 UTC 2005 

On Sat, 2005-11-19 at 10:41 -0600, Les Mikesell wrote:
> On Fri, 2005-11-18 at 22:42, Lamar Owen wrote:
> 
> > Maybe I'm wrong, but I think any admin needs to experience having their box 
> > cracked.  It will produce the humbleness necessary to the trade, because 
> > overconfidence is dangerous.
> 
> Yes, but when the box gets cracked _because_ they are using the
> latest new thing their distribution added under the guise of
> increased security, as happened with ssh a while back, it
> also produces the attitude that new stuff should soak a long,
> long while in a distribution like fedora before going onto
> production boxes.  You want to at least wait until the surprises
> stop - and I take the flurry of reports of broken apps at
> every update as an indication that they haven't stopped yet.
> 
> Your analogy to a weapon was a good one.  When the experts
> tuning the distribution still can't keep it from blowing
> up in peoples's faces some of the time, normal people should
> keep their distance.  When the fedora and Centos lists go
> several months without a mysterious app failure caused by
> SELinux it will be time to reconsider.
----
I hope that you realize that only those who routinely disable selinux
would actually make that statement.

I actually am on the same fedora and centos lists as you and I don't see
'a flurry of reports of broken apps at every update' - perhaps your
characterization is shaded by your desire to believe that something in
selinux is broken...it isn't. There is only a lack of knowledgeable
people advising people how to fix their issues. The only barriers to
using selinux that I see is that people have to figure out whether they
need to change file contexts, relabel certain files or simply change
policy and there are simple tools to use for all of those circumstances.
I am learning them and I am not that smart.

As for your comment 'normal people should keep their distance' - that
sounds like like advice from someone who has made an uninformed decision
and wants others to follow his uninformed lead. If you employed selinux
everywhere and suggested to others that they not do so you might have
some credibility.

Of course when the 2.4 kernel was released, there were a number of
people who advocated continuing to use ipchains because they understood
that and didn't understand netfilter/iptables and did a similar
disservice to others by suggesting that other users followed this lead.

I haven't disabled selinux on any system that I setup/maintain/operate
whether it is clients RHEL/CentOS or my own fedora desktops. The only
issue that stopped anything was update of mysql and a relabel fixed
that...one command - done. Of course this list was of no help because
everyone was drawn to the debate rather than the solution.

I do occasionally have to deal with issues...such as those caused by
upgrade from CentOS 4.1 to 4.2 but they were not difficult...and the
solution to them was clearly not offered by those who think that they
are providing value by suggesting that I simply turn it off.

I also occasionally have issues with things like BIND, LDAP, cyrus-imapd
etc. and rather than turn them off, I actually take the time to discover
the nature of the problem and then fix it. SELinux is not different.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the CentOS mailing list