[CentOS] SELinux threads, cynicism, one-upmanship, etc.

Mon Nov 21 13:00:26 UTC 2005
Johnny Hughes <mailing-lists at hughesjr.com>

On Mon, 2005-11-21 at 04:38 -0800, Brian T. Brunner wrote:
> Thanks, Mike.
> 
> What I read is that SELinux is still 'beta', and while the need for good 
> security is decades old, we (CentOS/RHEL folks) should not be presumed 
> to be willing beta testers.  "Enabled by default" presumes I'm willing.
> 
> Brian Brunner
> brian.t.brunner at gai-tronics.com
> (610)796-5838
It is not enabled by default ... unless you mindlessly click through
screens without reading them.

By that standard,  using LVM2 and erasing every hard drive is the
default too ... (Disk Druid - automatically configure files systems)

Or the package selection, or DHCP, or writing the grub to MBR, etc.  All
these things are for an administrator to decide.

SELinux is usable, if you want to use it ... if you don't want to,
great.  That is why you get to install CentOS for yourself and I don't
install it for you and tell you what you can have :)  

I normally don't use SELinux either ... but that is my choice.

But using SELinux is certainly more secure than not using it.


> 
> >>> lesmikesell at gmail.com 11/19/05 11:41AM >>>
> On Fri, 2005-11-18 at 22:42, Lamar Owen wrote:
> 
> > Maybe I'm wrong, but I think any admin needs to experience having their box 
> > cracked.  It will produce the humbleness necessary to the trade, because 
> > overconfidence is dangerous.
> 
> Yes, but when the box gets cracked _because_ they are using the
> latest new thing their distribution added under the guise of
> increased security, as happened with ssh a while back, it
> also produces the attitude that new stuff should soak a long,
> long while in a distribution like fedora before going onto
> production boxes.  You want to at least wait until the surprises
> stop - and I take the flurry of reports of broken apps at
> every update as an indication that they haven't stopped yet.

No, their boxes get cracked mostly because they don't do security
updates.

> 
> Your analogy to a weapon was a good one.  When the experts
> tuning the distribution still can't keep it from blowing
> up in peoples's faces some of the time, normal people should
> keep their distance.  When the fedora and Centos lists go
> several months without a mysterious app failure caused by
> SELinux it will be time to reconsider.
> 
That is, of course, you choice.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20051121/ca9d6031/attachment-0005.sig>