On Thursday 17 November 2005 11:40, Peter Farrow wrote: > running a consultancy business where time is money, tunring it off and > configuring as we always did before represents the best technical > solution and value for money for my clients. No, it's the easiest solution, but not the best technical one. The best technical solution is where you figure out how to use it and leverage it for value-add to your customers. > Those of you who work in big corporates or have time to experiment with > every last detail of SELinux features in a lab by all means go and do > it, here at the coal face its rather like offering options for window > dressing while we are still building the shop front.... No, it's more like choosing sheet steel studs instead of spruce studs in the framing, as SELinux is pretty tightly integrated. It's definitely something you want to design in and take advantage of, not just throw on like a skin. > but my machines stay secure > without it. As far as you know.... > Therefore I don't need it.... period... One rootkit is probably all it will take. Just because you've never yet been hacked doesn't mean you won't be hacked. Been there, done that. Cleaned up a couple of rootkits after the fact, too. And the same goes here; while I've not yet been cracked here (as far as I know), that could change in an instant, and that's with SELinux in targeted mode as opposed to full enforcing mode. But if you think you don't need it, well, that's your choice. But that doesn't mean that the correct answer to everyone who has some difficulty with SELinux is 'turn it off.' -- Lamar Owen Director of Information Technology Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 (828)862-5554 www.pari.edu