[CentOS] SELinux - way of the future or good idea but !!!

Thu Dec 9 00:00:20 UTC 2010
Christopher Chan <christopher.chan at bradbury.edu.hk>

On Thursday, December 09, 2010 05:00 AM, Warren Young wrote:
> On 12/8/2010 7:13 AM, Christopher Chan wrote:
>> Such [periodic failures] are fairly common
> I'd say the main reason someone chooses CentOS (or another Linux flavor
> with similar policies, like Ubuntu LTS) is that the distro provider has
> made a long-term support commitment with minimal churn during a major
> release.
> This is why we tolerate the fact that CentOS 5 still ships Firefox 1.5
> five years after Mozilla released it: not because we're troglodytes
> unwilling to upgrade, ever, but because we don't want something as
> random as a browser bug fix to break a formerly-working server.
>> and usually run manually.
> I assume you mean to advocate running updates infrequently, or at least
> be around to fix them when the automated updates break.
> If the former, you're mad if that server is exposed to the Internet.
> You're only slightly deranged if it's LAN-bound but in an organization
> large enough to support ongoing internal strife.

No, I advocate setting up SELinux properly which will take care of the 
automatic updates. Did you miss all the pointers to using semanage so 
that relabels will cover your non-default necessities? And that is not 
just from me too.

> If the latter, that's not practical for everyone who uses CentOS.  I,
> like many others I'm sure, support hundreds of boxes that are almost all
> geographically distant from me.  On top of that, the vast majority of
> those boxes are in a different time zone, so that even though they're
> only used during regular business hours, those hours may occur while I'm
> off trying to have a life.  Or sleep.

See above. Again, the main issue is: Learn to use the thing properly!