[CentOS] SELinux - way of the future or good idea but !!!

Wed Dec 8 13:31:39 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 12/8/10 4:22 AM, David Sommerseth wrote:
> On 30/11/10 03:52, cpolish at surewest.net wrote:
>> Christopher Chan wrote:
>>> Les Mikesell wrote:
> [...snip...]
>>> As was already mentioned in another post, run in permissive mode, for a
>>> few days if you must, and go through all the things the software does
>>> and voila! setroubleshoot and/or logs tell you what needs doing.
>>
>> Very optimistic, that. In my shop, some things run annually.
>> A comprehensive system test = production, for a year. Just
>> this morning a 1099 (annual tax-form) script failed in test.
>
> So you would rather disable SELinux completely - 365 days a year, rather
> than to switch to permissive mode when running this script once a year?
>
> I'm sorry, but I'm not able follow that logic.

In our case if something fails once a year we lose customers and money.  I'd 
expect that to be fairly common.

-- 
    Les Mikesell
      lesmikesell at gmail.com