[CentOS] SELinux threads, cynicism, one-upmanship, etc.
webmaster at ew3d.com
Mon Nov 21 15:11:39 UTC 2005
Johnny Hughes wrote:
>On Mon, 2005-11-21 at 14:41 +0000, Peter Farrow wrote:
>>Please go and look up "default" on the dictionary....
>It isn't the word default that I have a problem with ... it is enabled.
>Nothing is enabled until you click past it without taking action.
>You "Enable" the things that you want.
>Now ... I would agree that the "Default" selection is having SELinux in
>"Permissive Mode" ... and that user action and knowledge is required
>when deciding what they want to do concerning SELinux.
If you are doing a Server Install, on 4.2, "Enabled" is highlighted (by
default ;) ). One has to select permissive (warn only) or off to keep it
from being enabled (unless warn and permissive are different?). Just did
this Saturday. It does seem that it was not this way during some other
install process, way back in some other time... long, long ago (as if
this has been around that long).
It was about that same time that I started figuring out suexec. That
made some radical changes to many of our user's setups (yes, one could
argue they 'needed to be fixed'). Doing an install is a bit of an
arduous task. I haven't liked the direction RedHat has taken in recent
years and actually preferred the select each package method from back in
the 7.2 days. It seems that the 'list' shown now is nowhere near
complete. But, I'll trade these issues for the RPM system and the great
updating proceedures. Things like selinux do get in the way... another
stall to go figure out. And with something as raw as selinux, I'm not
all that happy that it is the default selected item on the way in. The
attitude of if you don't know, Redhat knows best just doesn't seem to
Anyway, I guess this all is a mute point. CentOS is supposed to 'follow
the upstream provider as closely as possible' right down to Anaconda....
This 'default' thread really belongs on 'de fault' Redhat list. Then
again, most of us can't complain there because we don't pay them anything.
I am however glad that the selinux issues have been posted, as it helped
me decide that my stuff isn't ready for it. I have been enabling it
under warn mode, just so I can see/learn what issues it feels are
potential security holes.
More information about the CentOS