[CentOS] SELinux - way of the future or good idea but !!!

Wed Dec 8 23:07:29 UTC 2010
Christopher Chan <christopher.chan at bradbury.edu.hk>

On Wednesday, December 08, 2010 11:03 PM, William Warren wrote:
> On 12/8/2010 9:13 AM, Christopher Chan wrote:
>> On Wednesday, December 08, 2010 09:31 PM, Les Mikesell wrote:
>>> On 12/8/10 4:22 AM, David Sommerseth wrote:
>>>> On 30/11/10 03:52, cpolish at surewest.net wrote:
>>>>> Christopher Chan wrote:
>>>>>> Les Mikesell wrote:
>>>> [...snip...]
>>>>>> As was already mentioned in another post, run in permissive mode, for a
>>>>>> few days if you must, and go through all the things the software does
>>>>>> and voila! setroubleshoot and/or logs tell you what needs doing.
>>>>> Very optimistic, that. In my shop, some things run annually.
>>>>> A comprehensive system test = production, for a year. Just
>>>>> this morning a 1099 (annual tax-form) script failed in test.
>>>> So you would rather disable SELinux completely - 365 days a year, rather
>>>> than to switch to permissive mode when running this script once a year?
>>>> I'm sorry, but I'm not able follow that logic.
>>> In our case if something fails once a year we lose customers and money.  I'd
>>> expect that to be fairly common.
>> Again, that particular process is unlikely to be missed and also show to
>> be easily mitigated by doing a realtime switch from enforcing to
>> permissive. Such annual processes are fairly common and usually run
>> manually. You have yet to make a compelling case for completely
>> disabling SELinux just for this sort of thing.
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> loosing customers and money on an annual basis is a great reason to kill
> it.  Make it able to work without updates interfering with a formerly
> running configuration on a regular basis and more folks will adopt it.
> Saying killing it because it is hurting your business isn't a valid
> reason is arrogant and frankly stupid.  Frankly, there's several other
> distros that don't run SeLinux and they aren't anymore problematic when
> properly configured than RHEL is..and they just work.  Let's put the
> SeLinux religion aside..make it not only technically superior but
> actually usable and helpful and you'll see a wider adoption.  The kind
> of arrogance I've seen in this thread is a primary reason it won't get
> appreciable traction outside of RHEL and why it won't be a major tool in
> admins toolbox inside RHEL unless folks don't NEED the flexibility Linux
> in general offers and SELinux restricts.

Please give me an example of any software stupid enough to do 
end-of-year processes automatically and especially financial ones that 
do not know how to roll back should the process fail for any reason.

Arrogance? Ha! If dissing software that take a bad approach to 
end-of-year processes is arrogance then so be it.