[CentOS] SELinux - way of the future or good idea but !!!

[Lamar Owen]

On Tuesday, November 30, 2010 03:31:44 pm m.roth at 5-cent.us wrote:
> Lamar Owen wrote:
> > CA should know better, and if they are targeting RHEL commercially they
> > should be supporting the default RHEL configuration.
 
> Right. So, hey, do you have the rights to call CA and lean on them?

Nope, sorry.  Can't help you there.

> And I notice that you don't address the other point, all the in-house
> apps, 

In house apps must be addressed in-house; I'll address mine (and expose a smaller risk by integrating SELinux), and you or your company can address yours.  I thought that was obvious enough to not require reply, as dealing with in house developers always invokes some degree of politics.

> and if you think management will say "sure, spend whatever it takes
> to rewrite that so it conforms to selinux...", you're living in somewhere
> I don't. And just about everywhere I've worked, both as a developer and as
> a sysadmin had a *lot* of in-house apps.

We have a few; none required a rewrite; you're getting a bit melodramatic, there, as there isn't going to be any application that is going to require a complete 100% rewrite to work with SELinux.  

Few required much of any thing to be changed, and even then all changes were to the filesystem labeling of the contexts.  Nothing more.  Not that we have a lot of in house apps; I try to do as much as possible with OOB CentOS, pulling in the bare minimum third-party stuff I can (Plone is the largest third-party app I pull in currently).   But the targeted policy and Plone, to pull the biggest example, just worked fine with each other, no sweat, once I allowed zeo and the zope clients rights to bind the appropriate ports.