On 05/26/2010 07:40 AM, Craig White wrote: > > you can't make a useful argument out of ignorance. If you don't want to > use SELinux, then disable it. Otherwise, learn to understand how it > operates and deal with it. > > one certain way to cause issues with SELinux is to copy files created in > other directories or other computers onto another computer because it > will not have the proper security contexts so the way to fix that is to > make sure your policy files are all up to date and then relabel your > file system which should set the contexts to their proper labels. > I can make a useful argument from experience. Over the last few years, as Redhat has progressively deployed SELinux, I have had *several* incidents (the most recent only a few weeks ago) where updates to SELinux broke existing, stable, systems. Each time sucking up hours of my time to diagnose and fix. And (as in this incident) there are not always useful error messages to track it with. The *theoretical* system security improvement of SELinux is trumped by the *practical* observation that I have had existing systems broken by SELinux multiple times on the mere handful of systems I have run it on in enforcing mode, but have yet to see a single one of several dozen (all internet exposed) up-to-date *non*-SELinux systems hacked. It is a 'safety' feature that is in practice more dangerous to system stability than what it is trying to fix. It is like having air bags in your car that go off at random times while you are driving: It is NOT acceptable behavior. -- Benjamin Franz