[CentOS] courier mail for Centos

John R. Dennison jrd at gerdesas.com
Thu Dec 6 19:43:17 UTC 2012 

On Thu, Dec 06, 2012 at 01:30:40PM -0600, Les Mikesell wrote:
> 
> Sorry to burst your bubble here, but note that this is from a guy that
> says he hasn't changed things in years.   The 'normal' selinux
> reaction to problems is not nonsense, just real life when you have a
> bunch of people trying to do new things and a tool that is designed to
> restrict them.

Then let me sum this up thusly.  If anyone is in the habit of managing
systems with selinux set to disabled because "it's too hard" or "it
takes too much time" or any number of other ridiculous excuses instead
of learning to properly manage the systems with the tools and
documentation provided then they need to reconsider their chosen career
path as they are quite obviously not cut out for systems administration
/ engineering.

I manage many, many hundreds of systems.  Not a single one has selinux
disabled.  I have _no_ problems in doing so  Does it take a little time
to do it when first installing a package without a pre-packaged policy?
Yes; and this is one reason you don't do this type of thing in a
production environment.  Is it less time than it takes to recover from a
compromise.  Yes; _many_ times less.

So you'll kindly pardon me if I don't accept lame excuses or what I
consider faulty reasoning as to why one would not have selinux set to
enforcing on any given box.  I also consider any advocacy for disabling
security tools versus understanding them and learning to work with them
quite out of place on this or any other technical list.  People should
really just know better.  As I know you'll want to get the last work in,
Les, let it be known I won't reply to this thread any longer.  The
original author has already shown his willingness to do things properly
and you just want a soapbox and I won't give you one.





							John
-- 
He may be mad, but there's method in his madness.  There nearly always is
method in madness.  It's what drives men mad, being methodical.

-- G. K. Chesterton, The Fad of the Fisherman (1922)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20121206/fdcd7d9d/attachment.sig>

More information about the CentOS mailing list