[CentOS] courier mail for Centos

Scot P. Floess sfloess at nc.rr.com
Thu Dec 6 20:13:48 UTC 2012


I'd throw in to the mix - I have a lot of experience with *nix's - but 
limited time to learn things and must concentrate on what I need to know. 
I've never master SELinux and disable it - all the time.  However, my 
needs are for my home network - which I administer.  I have many hosts and 
quite a few VMs - but I don't think its worth my time nor effort to use 
SELinux.  Am I lazy - yes.  Do I care - no.

Seems harsh what you said :(  Maybe in a prod setting, you are correct - 
but chill :)  This is a great mailing list...hate to see fighting or 
perceived fighting :(

On Thu, 6 Dec 2012, m.roth at 5-cent.us wrote:

> John R. Dennison wrote:
>> On Thu, Dec 06, 2012 at 01:30:40PM -0600, Les Mikesell wrote:
>>>
>>> Sorry to burst your bubble here, but note that this is from a guy that
>>> says he hasn't changed things in years.   The 'normal' selinux
>>> reaction to problems is not nonsense, just real life when you have a
>>> bunch of people trying to do new things and a tool that is designed to
>>> restrict them.
>>
>> Then let me sum this up thusly.  If anyone is in the habit of managing
>> systems with selinux set to disabled because "it's too hard" or "it
>> takes too much time" or any number of other ridiculous excuses instead
>> of learning to properly manage the systems with the tools and
>> documentation provided then they need to reconsider their chosen career
>> path as they are quite obviously not cut out for systems administration
>> / engineering.
>>
>> I manage many, many hundreds of systems.  Not a single one has selinux
>> disabled.  I have _no_ problems in doing so  Does it take a little time
>> to do it when first installing a package without a pre-packaged policy?
>> Yes; and this is one reason you don't do this type of thing in a
>> production environment.  Is it less time than it takes to recover from a
>> compromise.  Yes; _many_ times less.
> <snip>
> The general CentOS mailing list: everyone's soapbox.
>
> We've got selinux on permissive on almost every system. Perhaps your boxes
> are almost all production: most of ours are either dev or research. Even
> the production boxes - most have websites or apps written by developers
> with *zero* knowledge of selinux.
>
> And then there are the third-party apps like that... or from the Windows
> world. For example, I've posted here in the past, and on the fedora
> selinux list, fighting CA's SiteMinder (we won't talk about the piece of
> crap that is, for which our tax dollars pay a *lot*), but it's *all*
> guesswork and makedo to even keep that working, and making selinux active
> would kill that most of the time, and we're *required* to use it.
>
> Must be nice, working in an environment that can enforce selinux. This
> ain't it.
>
>       mark
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Scot P. Floess             RHCT  (Certificate Number 605010084735240)
Chief Architect FlossWare  http://sourceforge.net/projects/flossware
                            http://flossware.sourceforge.net
                            https://github.com/organizations/FlossWare



More information about the CentOS mailing list