[CentOS] SELinux threads, cynicism, one-upmanship, etc.

Lamar Owen lowen at pari.edu
Sat Nov 19 00:43:23 UTC 2005

On Thursday 17 November 2005 11:40, Peter Farrow wrote:
> running a consultancy business where time is money, tunring it off and
> configuring as we always did before represents the best technical
> solution and value for money for my clients.

No, it's the easiest solution, but not the best technical one.  The best 
technical solution is where you figure out how to use it and leverage it for 
value-add to your customers.

> Those of you who work in big corporates or have time to experiment with
> every last detail of SELinux features in a lab by all means go and do
> it, here at the coal face its rather like offering options for window
> dressing while we are still building the shop front....

No, it's more like choosing sheet steel studs instead of spruce studs in the 
framing, as SELinux is pretty tightly integrated.  It's definitely something 
you want to design in and take advantage of, not just throw on like a skin.

> but my machines stay secure 
> without it.

As far as you know....

> Therefore I don't need it.... period... 

One rootkit is probably all it will take.  Just because you've never yet been 
hacked doesn't mean you won't be hacked.  Been there, done that.  Cleaned up 
a couple of rootkits after the fact, too.

And the same goes here; while I've not yet been cracked here (as far as I 
know), that could change in an instant, and that's with SELinux in targeted 
mode as opposed to full enforcing mode.

But if you think you don't need it, well, that's your choice.  But that 
doesn't mean that the correct answer to everyone who has some difficulty with 
SELinux is 'turn it off.'
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772

More information about the CentOS mailing list