[CentOS] SELinux - way of the future or good idea but !!!

Benjamin Franz jfranz at freerun.com
Sat Nov 27 13:57:50 EST 2010


On 11/26/2010 05:17 PM, Patrick Lists wrote:
>
> What's with people recommending to turn off SELinux?! That's just bad
> advice and like recommending people keep their doors unlocked at all
> times. Really, stop doing that. SELinux is there for a reason.

SELinux is like a automatic collision avoidance system for an airplane 
that unpredictably crashes the plane during normal flight. While the 
basic idea is good, until it stops crashing planes without warning it 
isn't going to be accepted.

It is not enough that it mitigates certain classes of attacks when it 
actively breaks running systems *more often* than it mitigates attacks. 
And that is my personal experience. Every year or two I try turning it 
on on a few systems. And then, after it suddenly decides to break a 
previously stable system - it gets turned back off.

-- 
Benjamin Franz


More information about the CentOS mailing list