Lamar Owen wrote:
On Monday, November 29, 2010 11:29:31 am Les Mikesell wrote:
Agreed, but not everyone has time to do both - or to learn lots of distribution-specific details in mixed environments. My opinion is that doing the simple stuff first is a win. And that works the same on systems that don't include SELinux.
<snip>
Security isn't simple. The mantra 'just disable SELinux, you don't need it anyway because it's too big of a pain and apps that aren't part of the tested distribution can break' is oversimplifying a complex issue. My opinion is that I'm not going to run third party apps that break in that way, and I'm going to let the developers know why.
<snip> That's fine for you. When you're running in a larger environment, as many of us are, corporate or government, and you have no choice in what's run, esp. if some of it's run by mandate, and the group mandating it only knows WinDoze, and companies that they buy software from claim they have it for Linux (like CA), or you've got F/OSS that no one has time to do more than customize, not go through zillions of lines of code, that generate AVC's, you do what we do: mostly permissive.
mark