On Sat, Nov 27, 2010 at 03:29:49AM +0200, Eero Volotinen wrote:
Usually it causes more problems. If you have unlimited resources to tune it up, then it possibly helps on the way.
Only if you don't bother to take the time to read any of the resources I previously provided or any of the other SElinux resources available on the 'net.
SElinux is not brain surgery; spend some time with the documentation and you'll be surprised at how easily it all comes together after a while.
Telling people to disable it is not only foolish but completely irresponsible; doubly so in a medium that exists to support users. If the best avenue was to disable it do you honestly think that upstream would enable it by default?
This is 2010 - people are expected to actually make an effort at learning the systems they so casually throw up on the 'net and to take responsibility for those systems. Every time a box gets compromised it can pose a risk to the rest of us; please be mature and responsible enough to make it as difficult as possible to permit such a compromise in the first place.
John