[CentOS] SELinux threads, cynicism, one-upmanship, etc.

Nathan Oyler noyler at khimetrics.com
Wed Nov 16 22:05:26 UTC 2005


> The main reason I think sysadmins in general seem to hate SELinux is
the
> 'Mandatory' part of 'Mandatory Access Control' : that is, superuser
power
> is too addictive to get rid of, and SELinux can do away with
'superuser'
> powers entirely.

I disagree with this. The main reason I dislike SELinux is the way I was
introduced to it.

I wasted quite a bit of time on an issue before I even knew what SELinux
was because it was turned on by default on an FC2 machine. I was asked
by another admin to use FC2 on a particular job, and I never saw
SELinux.

I turn it on now for all machines, but if you were to have asked me at
any point in the week my feelings on SELinux they would have not been
pleasant.

At the time, I looked and there wasn't any real documentation for what I
was trying to do, and why it failed. Now after time has passed, I
realize what was going on but when you're in the middle of a job on a
time crunch, the last thing you want to do is learn a new security
system.

I turned the thing off. Got what I needed done, and came back to the
issue at a later date. 

The turning it on by default irked me. Superuser power as a trip is just
silly. What's the difference? 

All I want is enough power to do my job.



More information about the CentOS mailing list