On 12/7/10 1:45 PM, Marko Vojinovic wrote:
>
> And it isn't really rocket science. It's just an extension to the existing
> classical permissions system --- it works in analogous way, just with greater
> flexibility and power. If you know how to understand and use file permissions,
> you will easily grasp all about SELinux.
No, it doesn't have much in common with the standard uid/gid based permissioning
system.
> 5) disable SELinux and be ignorant about security.
>
> If you choose 5), feel free to also disable iptables, log in as root all the
> time, and make sure that the root password is clearly visible on the company
> website. Why bother with all that stuff, anyway? ;-)
I think you've missed the point that 'all that stuff' (being traditional unix
security mechanisms) are not all that insecure. It is only when you get them
wrong that you need to fall back on selinux as a safety net. And if you can't
get the simple version right, how can you hope to do it right with something
wildly more complicated?
--
Les Mikesell
lesmikesell at gmail.com