[CentOS] SELinux - way of the future or good idea but !!!

Tue Nov 30 19:04:12 UTC 2010
Benjamin Franz <jfranz at freerun.com>

On 11/30/2010 10:42 AM, Lamar Owen wrote:
>
> It boils down to balancing 'it breaks my app that I can't or won't fix' against 'you've been pwned!'

Actually, it boils down to 'what causes more total costs to the 
business'. Right now, in my experience, that is SELinux. Break ins to my 
servers are extremely rare (one machine out of several dozen internet 
exposed machines in 13 years). SELinux randomly taking out some aspect 
of operations is fairly frequent in comparison (several incidents on 
just the handful of machines I have that it was left active on).

Security in not an end unto itself. It exists to support the business 
making money. If a cost saving measure is costing the business more than 
it is saving it, it is *not* a good idea no matter how technically 
superior it is.

This in a very real sense is similar to the 'how much resources should 
measures to prevent shoplifting be given' in a retail store. If the 
anti-shoplifting measures are costing *more* than the shoplifting you 
are preventing - you have lost sight of the actual reason for 
anti-shoplifting measures in the first place.

-- 
Benjamin Franz