[CentOS] SELinux - way of the future or good idea but !!!

Sun Nov 28 13:33:28 UTC 2010
William Warren <hescominsoon at emmanuelcomputerconsulting.com>

On 11/28/2010 8:15 AM, Bob McConnell wrote:
> Marko Vojinovic wrote:
>> On Sunday 28 November 2010 03:45:54 Nico Kadel-Garcia wrote:
>>> On Sat, Nov 27, 2010 at 9:21 PM, John R. Dennison<jrd at gerdesas.com>  wrote:
>>>>         You run it in Permissive mode, you deal with the exceptions as
>>>>         they arise while the software is running in its normal
>>>>         environment and while its running normally using any of the
>>>>         documented methods.  You thoroughly test the application in such
>>>>         a manner and once you have ironed out any and all issues by
>>>>         putting together a custom policy, setting the right SElinux
>>>>         booleans, etc, you then enable Enforcing mode.  There is really
>>>>         no reason that SElinux should have a negative impact on your
>>>>         application or server if you use Permissive first.
>>> You forgot "take on becoming the SELinux integration  manager for that
>>> project with every single update".
>> Every single update? Update of what?
> Marko,
>
> You have completely missed his point. Every update of the application
> *his company* is writing to run on those CentOS servers. This has
> nothing to do with RedHat, CentOS, or any other FLOSS package. It is a
> management problem within his employer's organization. If the managers
> don't care to require the application be SE compliant, he will never be
> able to get the developers to deal with those issues. So for him it is
> already a lost battle.
>
> Bob McConnell
> N2SPP
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
I run a mix of Centos and Debian.  If you setup your system correctly 
you aren't going to get hammered.  It's all down to what apps you are 
running.  SeLinux helps but I find it gets in the way.  If SeLinux where 
the panacea it's being billed as here then more distros would have it 
enabled by default...however the opposite is true.  Contrary to the 
apparent belief on this list it IS possible to properly harden a box 
without SeLinux.