[CentOS] SELinux - way of the future or good idea but !!!

Mon Nov 29 19:24:14 UTC 2010
m.roth at 5-cent.us <m.roth at 5-cent.us>

Lamar Owen wrote:
> On Monday, November 29, 2010 11:29:31 am Les Mikesell wrote:
>> Agreed, but not everyone has time to do both - or to learn lots of
>> distribution-specific details in mixed environments.  My opinion is that
>> doing the simple stuff first is a win.  And that works the same on
>> systems that don't include SELinux.
> Security isn't simple.  The mantra 'just disable SELinux, you don't need
> it anyway because it's too big of a pain and apps that aren't part of the
> tested distribution can break' is oversimplifying a complex issue.  My
> opinion is that I'm not going to run third party apps that break in that
> way, and I'm going to let the developers know why.
That's fine for you. When you're running in a larger environment, as many
of us are, corporate or government, and you have no choice in what's run,
esp. if some of it's run by mandate, and the group mandating it only knows
WinDoze, and companies that they buy software from claim they have it for
Linux (like CA), or you've got F/OSS that no one has time to do more than
customize, not go through zillions of lines of code, that generate AVC's,
you do what we do: mostly permissive.