[CentOS] SELinux - way of the future or good idea but !!!

Tue Nov 30 04:19:13 UTC 2010
Christopher Chan <christopher.chan at bradbury.edu.hk>

----- Original Message ----- 
From: <cpolish at surewest.net>
> Christopher Chan wrote:
>> Les Mikesell wrote:
>>
>> >> All of the third-party software I run seems to run just fine, as long 
>> >> as the right contexts are applied.
>> >
>> > Well, obviously it will work after someone takes the time to make it
>> > work.  Now it is your turn to quantify:  How much would you charge to
>> > teach someone to be able to make those changes and how long would it
>> > take?  This has to include the ability to quickly diagnose and fix any
>> > problem that might be caused by updates to the application or to the OS
>> > distribution.
>> >
>>
>> As was already mentioned in another post, run in permissive mode, for a
>> few days if you must, and go through all the things the software does
>> and voila! setroubleshoot and/or logs tell you what needs doing.
>
> Very optimistic, that. In my shop, some things run annually.
> A comprehensive system test = production, for a year. Just
> this morning a 1099 (annual tax-form) script failed in test.
>


For some reason, I suspect that these annual stuff would be largely run by 
hand. Of course, it would be nice if you don't have to get a call for these 
annual stuff but I do not see that as absolutely so disabling that SELinux 
has to be disabled.