[CentOS] selinux stuff - I just don't get -- "outgoing firewalls are broken"
Craig White
craigwhite at azapple.com
Mon Nov 14 18:35:09 UTC 2005
On Mon, 2005-11-14 at 12:28 -0600, Les Mikesell wrote:
> On Mon, 2005-11-14 at 11:41, Bryan J. Smith wrote:
>
> > The reality is that with SELinux, we don't trust software
> > _until_ they are explicitly allowed to access things. Modes
> > like "permissive" use the opposite that logic, and are more
> > compatible.
> >
> > Just like deny all outgoing firewalls block _all_ outbound
> > traffic, _until_ they are explicitly allowed. And why most
> > people just enable allow all outgoing (including every single
> > SOHO device you'll find at the superstore).
> >
> > Do you understand now?
>
> I think the point you are both making is that you can't use
> either of these tools unless you have someone with not much
> else to do but baby-sit them or you can get along without the
> services they deny (and that you may not know about yet).
----
I would have sworn the point was that these people just love the debate
and no one knew enough to answer the question that I originally asked.
Thanks to the fedora-selinux mail list, where answers seem to be more
topical than philosophical debate, I got an answer.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS
mailing list