On Tuesday 30 November 2010 19:04:12 Benjamin Franz wrote:
On 11/30/2010 10:42 AM, Lamar Owen wrote:
It boils down to balancing 'it breaks my app that I can't or won't fix' against 'you've been pwned!'
Actually, it boils down to 'what causes more total costs to the business'. Right now, in my experience, that is SELinux. Break ins to my servers are extremely rare (one machine out of several dozen internet exposed machines in 13 years). SELinux randomly taking out some aspect of operations is fairly frequent in comparison (several incidents on just the handful of machines I have that it was left active on).
Security in not an end unto itself. It exists to support the business making money. If a cost saving measure is costing the business more than it is saving it, it is *not* a good idea no matter how technically superior it is.
That may be the case at the moment. But in the future you can expect that quality (of SELinux) will eventually outperform quantity (of software that doesn't support it).
Computer power is always growing, and we saw a post on this very list the other day about someone using a 5 bucks-per-hour (or so) Amazon cloud to easily crack passwords by brute force. One can expect that the number and severity of intrusions is going to rise in the future, and conventional security measures will not be enough for much long. When that time comes, you (as a sysadmin of some big corporation with a lot of in-house and third-party code running mission-critical stuff) will *want* SELinux, and you will *want* all that custom software to be SELinux compliant.
So at the moment SELinux might seem like a waste of sysadmin precious time and effort, but it is actually a wise investment to make. The sooner you learn how to make your system work with it, the better.
And developers of non-SELinux-compliant software will sooner or later find themselves under pressure to become compliant. Look what happened to oil industry --- they were actively supressing any R&D of alternative fuel sources for several decades, because it could grow to become competition for the oil money-making. And now, when the oil is running out, that same industry is investing an ever larger amount of money for that same R&D in order to save themselves from disaster.
Quantity cannot successfully suppress quality, not forever. It is always a Good Idea(tm) to embrace quality sooner, because it is an investment that will give you an edge later on.
Of course, managers and other people focused solely on money-making cannot (or don't want to) see anything beyond the next fiscal period, like governments and the election period. That kind of thinking is bound to fail at some point or produce big losses in order to survive (stockmarket crises? wars?). But sysadmins can choose not to be ignorant in this matter, so my advice is --- learn to use SELinux today, it will make your life easier tomorrow. ;-)
P.S. I am just waiting for the day when SELinux is going to become locked in enforcing mode by the kernel developers, much as the traditional permissions system is a mandatory thing right now. :-D
Best, :-) Marko