[CentOS] [OT][Practices] The Case for RBAC/MAC

Bryan J. Smith thebs413 at earthlink.net
Fri Nov 18 14:53:34 UTC 2005


On Fri, 2005-11-18 at 07:04 -0700, Craig White wrote:
> that notwithstanding, I am sure you realize that considering your
> premise of usage stated above, that a strong argument could be made
> that it is an ideal candidate for the protections of SELinux.

Ditto.  That's what keeps getting to me.

It would be one thing if he said, "I don't want to deal with SELinux."
I've _always_ respected his view on that.  I don't expect people to deal
with RBAC/MAC if they don't want to (although as a few have stated, that
might affect their consideration by a prospective client/employer -- but
_no_one_ is in an interview here, so don't read too much into it ;-).

Yet according to him, people like you and I who are implementing SELinux
in the same environments, we're doing it all-for-not!  That's simply not
true!  And I agree, remote systems are _ideal_ for RBAC/MAC.

And if I have to implement a change (even updates), something that might
be affected by _any_ control -- I first do it with systems near to me.
I test those changes locally, and then I roll out those change remotely
(be it remote update, or a box exchange if warranted).  That's just good
configuration management.  It has nothing to do with RBAC/MAC!

I don't ship something with RBAC/MAC that doesn't work.  But that
doesn't mean I disable RBAC/MAC _instead_ of making it work.  And it
doesn't mean that _only_ RBAC/MAC would affect a change in the field.
That's why I don't make "on-the-spot" changes in the field!  That
violates configuration management principles.  ;->

Or do I just not know what I'm talking about?

> Email skills can also encompass the ability to recognize the
> difference between expressing an opinion for one's own peculiar usage as
> it relates to the broader base as a whole and make the distinction
> clear.

I suck at e-mail.  I am not always clear.  I admit this.  In fact, my
biggest problem with trying to hold a conversation in e-mail has to do
with the fact that I almost approach it _too_much_ like a "real
conversation."

I write like I would speak on the phone or in-person -- including
sarcasm, tone-based wit/effect (never comes through in e-mail, I forget
that), etc...

After 16 years of e-mail on the Internet, I've learned 1 thing.

It's better for me to avoid conversation and story telling in e-mail.
Unfortunately, we all don't have each other's phone numbers.  I've tried
to use blogs to reduce my story telling, but I still do it.

So in a professional environment, I _avoid_ it.  If you have a weakness,
you _avoid_ it.  I also do it because a phone conversation is typically
better and quicker, or a formal tech doc would do far better, with less
chance for errors.

Especially since I'm a regular author of various columns and a
contributor to a series of books (read the _next_ sentence before you
think I'm on an "ego" trip please ;-).  By my very "programmed" nature,
I'm verbose to an extreme -- unassuming whether you might know what I'm
talking about or not, so I start almost "newbie'ish" sometimes because
the audience of an article or book _varies_ in knowledge.

But in a professional environment, I _avoid_ e-mail.  And I expect that
of others.  And I _know_ most of my clients and/or supervisors don't
like it when any consultant or employee contacts them in e-mail -- they
want a voice or a presence.

So far, in a professional environment, I have been complemented by
clients because I do _not_ hold conversations in e-mail.  I call them
up.  I write them up some sectionalized documentation (which I can crank
out in no time!) instead of crappy e-mail.

If they _only_knew_ the reason I avoid e-mail is because I really suck
at holding conversations in it.  Actually, so _do_ know.  And to them,
it's not an issue because I _never_ use it for business.






More information about the CentOS mailing list