Some you seem to be drowning in the "complex=secure" scenario.
SELinux adds complexity, the biggest dangers in computer hacking come from within your own network.
90% of hacking jobs are in house as the statistics show.
SELinux makes security complex and bloat like, the same thing that makes Windows insecure, this makes the admin job harder, which will lead to mistakes, which will make it hard to find holes, which will inevitably lead to a less secure system.... QED.
Perhaps all of you that _LOVE_ SElinux so much should branch off to a new flavour of Linux,
I propose that you name it BloatOS,
Just keep it well away from me.
My boxes have SELinux=disabled on all of them (thats a big number by the way).
I don't need it, those sysadmins who feel they need to use, sure go ahead and use it, but please don't take the morale high ground saying using it is definately better and more secure, because I find that kind of talk irritating because it is so wrong.
One thing is for sure, SELinux slows the box down, which perhaps you could start arguing that "aah yes the box is so much slower now, it wil take a hacker longer to get in - hey SElinux really is secure for that reason alone" -- ROTFLOL....
I think you should rename this thread BloatOS.
You could then write shell script called "unbloat" or "speedup"
I propose it contains
rpm -e libselinux-1.19.1-7 selinux-policy-targeted-1.17.30-2.110 libselinux-devel-1.19.1-7
Maybe that too has some marketing mileage, you could sell this script as a box performance enhancer,
LOL
Les Mikesell wrote:
On Fri, 2005-11-18 at 22:42, Lamar Owen wrote:
Maybe I'm wrong, but I think any admin needs to experience having their box cracked. It will produce the humbleness necessary to the trade, because overconfidence is dangerous.
Yes, but when the box gets cracked _because_ they are using the latest new thing their distribution added under the guise of increased security, as happened with ssh a while back, it also produces the attitude that new stuff should soak a long, long while in a distribution like fedora before going onto production boxes. You want to at least wait until the surprises stop - and I take the flurry of reports of broken apps at every update as an indication that they haven't stopped yet.
Your analogy to a weapon was a good one. When the experts tuning the distribution still can't keep it from blowing up in peoples's faces some of the time, normal people should keep their distance. When the fedora and Centos lists go several months without a mysterious app failure caused by SELinux it will be time to reconsider.