On 11/14/05, Peter Farrow peter@farrows.org wrote:
I agree Les,
Selinux just adds bloat that we've managed without for many many years.
We used to manage just fine with telnet for many many years also, and these days I wouldn't think of running accessing a machine via telnet. If you don't change with the times, you're going to get steamrolled by them.
Another layer of complexity to allow another layer of holes/backdoors/exploits.
Given the organization who gave us selinux and their dire need for security, I get the feeling it'll block many more problems that it allows, just as ssh did.
NOT NEEDED!!!!
I disagree. SELinux is going through growing pains, and it's not quite to the point where I'd call it "user friendly", but it does a very good job at seperating programs from areas of the system they don't need to touch. I for one use it to protect users from themselves and each other with cgi programs on web servers. selinux can provide a very secure way to allow users to have cgis on their webspace without staying up nights wondering if their code is going to kill something. SELinux is currently a pain in the ass, but it's no more complicated than say a sendmail config. We just need to learn it the same way we learned sendmail. It's not for every environment YET. I would not place it on a workstation, but on a webserver or some other system with high levels of outside traffic.. yes.
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center