[CentOS] SELinux threads, cynicism, one-upmanship, etc.

Mon Nov 21 15:11:39 UTC 2005
John Hinton <webmaster at ew3d.com>

Johnny Hughes wrote:

>On Mon, 2005-11-21 at 14:41 +0000, Peter Farrow wrote:
>  
>
>>Please go and look up "default" on the dictionary....
>>
>>    
>>
>It isn't the word default that I have a problem with ... it is enabled.
>
>Nothing is enabled until you click past it without taking action.
>
>You "Enable" the things that you want.
>
>Now ... I would agree that the "Default" selection is having SELinux in
>"Permissive Mode" ... and that user action and knowledge is required
>when deciding what they want to do concerning SELinux.
>
>  
>
If you are doing a Server Install, on 4.2, "Enabled" is highlighted (by 
default ;) ). One has to select permissive (warn only) or off to keep it 
from being enabled (unless warn and permissive are different?). Just did 
this Saturday. It does seem that it was not this way during some other 
install process, way back in some other time... long, long ago (as if 
this has been around that long).

It was about that same time that I started figuring out suexec. That 
made some radical changes to many of our user's setups (yes, one could 
argue they 'needed to be fixed'). Doing an install is a bit of an 
arduous task. I haven't liked the direction RedHat has taken in recent 
years and actually preferred the select each package method from back in 
the 7.2 days. It seems that the 'list' shown now is nowhere near 
complete. But, I'll trade these issues for the RPM system and the great 
updating proceedures. Things like selinux do get in the way... another 
stall to go figure out. And with something as raw as selinux, I'm not 
all that happy that it is the default selected item on the way in. The 
attitude of if you don't know, Redhat knows best just doesn't seem to 
fit here.

Anyway, I guess this all is a mute point. CentOS is supposed to 'follow 
the upstream provider as closely as possible' right down to Anaconda.... 
This 'default' thread really belongs on 'de fault' Redhat list. Then 
again, most of us can't complain there because we don't pay them anything.

I am however glad that the selinux issues have been posted, as it helped 
me decide that my stuff isn't ready for it. I have been enabling it 
under warn mode, just so I can see/learn what issues it feels are 
potential security holes.

Best,
John Hinton