[CentOS] selinux stuff - I just don't get

Jim Perrin jperrin at gmail.com
Mon Nov 14 14:29:47 UTC 2005

On 11/14/05, Peter Farrow <peter at farrows.org> wrote:
> I agree Les,
> Selinux just adds bloat that we've managed without for many many years.

We used to manage just fine with telnet for many many years also, and
these days I wouldn't think of running accessing a machine via telnet.
If you don't change with the times, you're going to get steamrolled by

> Another layer of complexity to allow another layer of
> holes/backdoors/exploits.

Given the organization who gave us selinux and their dire need for
security, I get the feeling it'll block many more problems that it
allows, just as ssh did.


I disagree. SELinux is going through growing pains, and it's not quite
to the point where I'd call it "user friendly", but it does a very
good job at seperating programs from areas of the system they don't
need to touch. I for one use it to protect users from themselves and
each other with cgi programs on web servers. selinux can provide a
very secure way to allow users to have cgis on their webspace without
staying up nights wondering if their code is going to kill something.
SELinux is currently a pain in the ass, but it's no more complicated
than say a sendmail config. We just need to learn it the same way we
learned sendmail. It's not for every environment YET. I would not
place it on a workstation, but on a webserver or some other system
with high levels of outside traffic.. yes.

Jim Perrin
System Architect - UIT
Ft Gordon & US Army Signal Center

More information about the CentOS mailing list