nate wrote: > > I can certainly see value in SELinux in some environments, I have > yet to operate one where it would provide value to me. I find that SELinux runs in enforcing mode quite unobtrusively on my laptop, where I'm running a pretty much out-of-the-box Fedora 10. On my CentOS 5 desktop, though, forget it! I'm doing too many things like a dhclient-exit-hooks script that adjusts named.conf and tells the daemon to reload, a script that saves some accounting info when iptables is stopped, various cron jobs that invoke constrained executables to do horrible things like write something to a file, ..., that sort of thing. Every time I take a stab at enabling SELinux in that environment and get close to figuring out enough local policy adjustments and custom labeling to make it work, a new release comes along and none of what I've done works any more. On that system, all removable parts of SELinux have been removed, and all security attributes have been purged from the filesystems. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it.