[CentOS] SELinux - way of the future or good idea but !!!

Tue Nov 30 16:03:40 UTC 2010
Lamar Owen <lowen at pari.edu>

On Monday, November 29, 2010 02:24:14 pm m.roth at 5-cent.us wrote:
> Lamar Owen wrote:
> >  My opinion is that I'm not going to run third party apps that break in that
> > way, and I'm going to let the developers know why.
> <snip>
> That's fine for you. When you're running in a larger environment, as many
> of us are, corporate or government, and you have no choice in what's run,
> esp. if some of it's run by mandate, and the group mandating it only knows
> WinDoze, and companies that they buy software from claim they have it for
> Linux (like CA), or you've got F/OSS that no one has time to do more than
> customize, not go through zillions of lines of code, that generate AVC's,
> you do what we do: mostly permissive.

While I sympathize with the plight of those saddled with software not written with SELinux in mind, I would ask those so saddled to understand that others are running enforcing mode SELinux systems with no trouble at all.

And most cases where I've needed to troubleshoot AVC's they've been file labels, and didn't require going through zillions of lines of code to fix.

But the basic real trouble is that the upstream developers cannot fix bugs that they don't know about.  Now perhaps they don't care about SELinux; well, at that point I would hazard to say that perhaps you should just run whatever is best supported by upstream, whether that be SuSE, of debian, or whatever.