[CentOS] SELinux threads, cynicism, one-upmanship, etc.
lowen at pari.edu
Sat Nov 19 00:43:23 UTC 2005
On Thursday 17 November 2005 11:40, Peter Farrow wrote:
> running a consultancy business where time is money, tunring it off and
> configuring as we always did before represents the best technical
> solution and value for money for my clients.
No, it's the easiest solution, but not the best technical one. The best
technical solution is where you figure out how to use it and leverage it for
value-add to your customers.
> Those of you who work in big corporates or have time to experiment with
> every last detail of SELinux features in a lab by all means go and do
> it, here at the coal face its rather like offering options for window
> dressing while we are still building the shop front....
No, it's more like choosing sheet steel studs instead of spruce studs in the
framing, as SELinux is pretty tightly integrated. It's definitely something
you want to design in and take advantage of, not just throw on like a skin.
> but my machines stay secure
> without it.
As far as you know....
> Therefore I don't need it.... period...
One rootkit is probably all it will take. Just because you've never yet been
hacked doesn't mean you won't be hacked. Been there, done that. Cleaned up
a couple of rootkits after the fact, too.
And the same goes here; while I've not yet been cracked here (as far as I
know), that could change in an instant, and that's with SELinux in targeted
mode as opposed to full enforcing mode.
But if you think you don't need it, well, that's your choice. But that
doesn't mean that the correct answer to everyone who has some difficulty with
SELinux is 'turn it off.'
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
More information about the CentOS