Re: [CentOS] selinux stuff - I just don't get -- "outgoing firewalls are broken"

On Mon, 2005-11-14 at 11:41, Bryan J. Smith wrote:

The reality is that with SELinux, we don't trust software _until_ they are explicitly allowed to access things. Modes like "permissive" use the opposite that logic, and are more compatible.

Just like deny all outgoing firewalls block _all_ outbound traffic, _until_ they are explicitly allowed. And why most people just enable allow all outgoing (including every single SOHO device you'll find at the superstore).

Do you understand now?

I think the point you are both making is that you can't use either of these tools unless you have someone with not much else to do but baby-sit them or you can get along without the services they deny (and that you may not know about yet).