[CentOS] SELinux - way of the future or good idea but !!!
jfranz at freerun.com
Tue Nov 30 14:04:12 EST 2010
On 11/30/2010 10:42 AM, Lamar Owen wrote:
> It boils down to balancing 'it breaks my app that I can't or won't fix' against 'you've been pwned!'
Actually, it boils down to 'what causes more total costs to the
business'. Right now, in my experience, that is SELinux. Break ins to my
servers are extremely rare (one machine out of several dozen internet
exposed machines in 13 years). SELinux randomly taking out some aspect
of operations is fairly frequent in comparison (several incidents on
just the handful of machines I have that it was left active on).
Security in not an end unto itself. It exists to support the business
making money. If a cost saving measure is costing the business more than
it is saving it, it is *not* a good idea no matter how technically
superior it is.
This in a very real sense is similar to the 'how much resources should
measures to prevent shoplifting be given' in a retail store. If the
anti-shoplifting measures are costing *more* than the shoplifting you
are preventing - you have lost sight of the actual reason for
anti-shoplifting measures in the first place.
More information about the CentOS