[CentOS] SELinux threads, cynicism, one-upmanship, etc.

Bryan J. Smith thebs413 at earthlink.net
Wed Nov 16 22:53:43 UTC 2005

Nathan Oyler <noyler at khimetrics.com> wrote:
> I disagree with this. The main reason I dislike SELinux is
> the way I was introduced to it.
> I wasted quite a bit of time on an issue before I even knew
> what SELinux was because it was turned on by default on an
> machine. I was asked by another admin to use FC2 on a
> particular job, and I never saw SELinux.

When has _any_ Red Hat ".0" release not caused grief!

I purposely _avoided_ Fedora Core 2 _until_ Fedora Core 3 was
almost released -- and even then, I _only_ installed it for
"test."  I have the same attitude on Fedora Core 4, I'm
waiting for 5.

Fedora Core is quickly becoming a 7-9 month release cycle, so
RHEL releases are every 2 FC releases.  So consider FC
releases the opposite of Star Trek movies ... the odd are
good, the even are bad.  ;-ppp

> I turn it on now for all machines, but if you were to have
> asked me at any point in the week my feelings on SELinux
> would have not been pleasant.

The cool thing about RHEL and, subsequently, CentOS is by the
time a new version comes out, the Fedora Core users have
addressed most of the concerns, and the leftover issues are

> At the time, I looked and there wasn't any real
> documentation for what I was trying to do,

Red Hat Linux 5.0, Red Hat Linux 7.0, Red Hat Linux 8.0 ...
Fedora Core 2 was just yet another one in the chain of
complaints.  (big grin ;-)

> and why it failed. Now after time has passed, I
> realize what was going on but when you're in the middle of
> a job on a time crunch, 

Ummm, why were you installing Fedora Core 2 in a _production_

I mean, I'm all for Fedora Core in a production environment,
but _not_ the latest version that changes everything (which
Fedora Core 2 did).  Yikes!

> the last thing you want to do is learn a new security
> system.

The last thing you want to do is install a massive version
change of RHL/FC in a production network!

> I turned the thing off. Got what I needed done, and came
> back to the issue at a later date. 

And I don't think anyone would disagree on the first release
with SELinux.  Then again, I would definitely _disagree_ with
your deploying Fedora Core 2 on a production system.

I would have the same reasoning behind Red Hat Linux 5.0, 7.0
and 8.0 as well.  Red Hat Linux 6.0 wasn't perfect either.

> The turning it on by default irked me.

Release notes are a beautiful thing.  ;->

> Superuser power as a trip is just silly.
> What's the difference? 
> All I want is enough power to do my job.

Ahhhh, the repeat theme here.

RBAC/MAC purposely prevents you from doing your job from 1
account.  It forces you to go about things differently.

Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith at ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)

More information about the CentOS mailing list