> The *theoretical* system security improvement of SELinux is trumped by > the *practical* observation that I have had existing systems broken by > SELinux multiple times on the mere handful of systems I have run it on > in enforcing mode, but have yet to see a single one of several dozen > (all internet exposed) up-to-date *non*-SELinux systems hacked. > > It is a 'safety' feature that is in practice more dangerous to system > stability than what it is trying to fix. It is like having air bags in > your car that go off at random times while you are driving: It is NOT > acceptable behavior. Under CentOS 5.5, and I presume RHEL5.5 too, there is a small improvement in the shape of setroubleshoot-server, it at least gives you improved troubleshooting capabilities. Not that it helps when you upgrade a 5.4 machine to 5.5 and you get no selinux logging whatsoever because setroubleshoot-server wasn't installed during the upgrade. Note to self, need to add it to the minimal-kickstart configurations. --------------------------------------------------------------- This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message. ---------------------------------------------------------------