Nathan Oyler noyler@khimetrics.com wrote:
I disagree with this. The main reason I dislike SELinux is the way I was introduced to it. I wasted quite a bit of time on an issue before I even knew what SELinux was because it was turned on by default on an
FC2
machine. I was asked by another admin to use FC2 on a particular job, and I never saw SELinux.
When has _any_ Red Hat ".0" release not caused grief!
I purposely _avoided_ Fedora Core 2 _until_ Fedora Core 3 was almost released -- and even then, I _only_ installed it for "test." I have the same attitude on Fedora Core 4, I'm waiting for 5.
Fedora Core is quickly becoming a 7-9 month release cycle, so RHEL releases are every 2 FC releases. So consider FC releases the opposite of Star Trek movies ... the odd are good, the even are bad. ;-ppp
I turn it on now for all machines, but if you were to have asked me at any point in the week my feelings on SELinux
they
would have not been pleasant.
The cool thing about RHEL and, subsequently, CentOS is by the time a new version comes out, the Fedora Core users have addressed most of the concerns, and the leftover issues are known.
At the time, I looked and there wasn't any real documentation for what I was trying to do,
Red Hat Linux 5.0, Red Hat Linux 7.0, Red Hat Linux 8.0 ... Fedora Core 2 was just yet another one in the chain of complaints. (big grin ;-)
and why it failed. Now after time has passed, I realize what was going on but when you're in the middle of a job on a time crunch,
Ummm, why were you installing Fedora Core 2 in a _production_ environment?
I mean, I'm all for Fedora Core in a production environment, but _not_ the latest version that changes everything (which Fedora Core 2 did). Yikes!
the last thing you want to do is learn a new security system.
The last thing you want to do is install a massive version change of RHL/FC in a production network!
I turned the thing off. Got what I needed done, and came back to the issue at a later date.
And I don't think anyone would disagree on the first release with SELinux. Then again, I would definitely _disagree_ with your deploying Fedora Core 2 on a production system.
I would have the same reasoning behind Red Hat Linux 5.0, 7.0 and 8.0 as well. Red Hat Linux 6.0 wasn't perfect either.
The turning it on by default irked me.
Release notes are a beautiful thing. ;->
Superuser power as a trip is just silly. What's the difference? All I want is enough power to do my job.
Ahhhh, the repeat theme here.
RBAC/MAC purposely prevents you from doing your job from 1 account. It forces you to go about things differently.