On Sunday 28 November 2010 11:22:14 Eero Volotinen wrote:
You forgot "take on becoming the SELinux integration manager for that project with every single update". I've done that several times now
In commercial service production, wasted time also costs money.
I think it is easier/cheaper to use hardware firewalls and idp systems to protect servers than fight with selinux on each server.
SELinux tuning might work on companies with unlimited resources like NSA .. or if you run server at home with unlimited free time to tune it up.
This is just FUD. If SELinux yells at you, you have an insecure system, period. Deal with that, not with SELinux.
If you deliberately want to keep your system insecure, modify local SELinux policy to allow access. It is enough to do it just once, or at least until you reinstall the OS on the machine.
It just takes a minimal investment of time to learn how to interact with SELinux. And any serious sysadmin should learn it.
Best, :-) Marko