1,000 pardons for aggressively trimming this post, sorry if I have harmed the flow by being selective. Bob McConnell wrote: > Marko Vojinovic wrote: > > Bob McConnell wrote: > >> Marko Vojinovic wrote: > >>> Nico Kadel-Garcia wrote: Hypothetical: one admins a vended suite of applications that comprise an ERP. Many layers of management going all the way up to elected Board members, and by implication the public, have spent $millions to acquire, install, and augment it until it runs every aspect of the business. A thousand staff members and 20,000 customers have been trained to use the system. Major components (LDAP, email, database) come from a Fortune 50 company that was assimilated by another Fortune 50 company. Not one piece of the ERP comes in RPM form. > >> You have completely missed his point. Every update of the application > >> *his company* is writing to run on those CentOS servers. This has > >> nothing to do with RedHat, CentOS, or any other FLOSS package. It is a > >> management problem within his employer's organization. If the managers In this (hypothetical) situation, managers don't have the right kind of power. They can't dictate policy to major corporations. They could attempt to bring a couple of dozen in-house applications into compliance, but does that make sense when the ERP is not in compliance thus SELinux is not an option? > > Well, in that case he is dealing with a broken/badly coded app, and > > irresponsible managers and developers. It's a problem, yes, but this isn't a The ERP is (hypothetically of course) badly broken on many levels. So, what can one constructively do? Complain at a Board meeting? Write letters to the newspapers? Start a boycott against the vendors? Open 1,000 service requests with the vendors? Buy the "myERPsucks" domain name? It's a cumbersome, balky problem that AFAICT has no easy answer. Some issues need attention at the governance level, such as IT getting more involved in vendor selection. > > given to people on this list to turn off SELinux because some devs in some > > company don't do their job right is also completely wrong. Perhaps completely wrong but also thoroughly entrenched, as explained above. > don't believe it can be considered a panacea either. Even with SE in > full protected mode, a simple SQL injection flaw can still expose much > of the sensitive data on your server. An example: Crafty Person enters an account # as: 9000' OR true and for the sake of argument, this retrieves 20,000 customer records. Does SELinux "do" anything? I suspect the answer is no. Tends to support the proceeding argument (it's not a panacea). -- Charles Polisher