[CentOS] courier mail for Centos
Scot P. Floess
sfloess at nc.rr.com
Thu Dec 6 20:13:48 UTC 2012
I'd throw in to the mix - I have a lot of experience with *nix's - but
limited time to learn things and must concentrate on what I need to know.
I've never master SELinux and disable it - all the time. However, my
needs are for my home network - which I administer. I have many hosts and
quite a few VMs - but I don't think its worth my time nor effort to use
SELinux. Am I lazy - yes. Do I care - no.
Seems harsh what you said :( Maybe in a prod setting, you are correct -
but chill :) This is a great mailing list...hate to see fighting or
perceived fighting :(
On Thu, 6 Dec 2012, m.roth at 5-cent.us wrote:
> John R. Dennison wrote:
>> On Thu, Dec 06, 2012 at 01:30:40PM -0600, Les Mikesell wrote:
>>>
>>> Sorry to burst your bubble here, but note that this is from a guy that
>>> says he hasn't changed things in years. The 'normal' selinux
>>> reaction to problems is not nonsense, just real life when you have a
>>> bunch of people trying to do new things and a tool that is designed to
>>> restrict them.
>>
>> Then let me sum this up thusly. If anyone is in the habit of managing
>> systems with selinux set to disabled because "it's too hard" or "it
>> takes too much time" or any number of other ridiculous excuses instead
>> of learning to properly manage the systems with the tools and
>> documentation provided then they need to reconsider their chosen career
>> path as they are quite obviously not cut out for systems administration
>> / engineering.
>>
>> I manage many, many hundreds of systems. Not a single one has selinux
>> disabled. I have _no_ problems in doing so Does it take a little time
>> to do it when first installing a package without a pre-packaged policy?
>> Yes; and this is one reason you don't do this type of thing in a
>> production environment. Is it less time than it takes to recover from a
>> compromise. Yes; _many_ times less.
> <snip>
> The general CentOS mailing list: everyone's soapbox.
>
> We've got selinux on permissive on almost every system. Perhaps your boxes
> are almost all production: most of ours are either dev or research. Even
> the production boxes - most have websites or apps written by developers
> with *zero* knowledge of selinux.
>
> And then there are the third-party apps like that... or from the Windows
> world. For example, I've posted here in the past, and on the fedora
> selinux list, fighting CA's SiteMinder (we won't talk about the piece of
> crap that is, for which our tax dollars pay a *lot*), but it's *all*
> guesswork and makedo to even keep that working, and making selinux active
> would kill that most of the time, and we're *required* to use it.
>
> Must be nice, working in an environment that can enforce selinux. This
> ain't it.
>
> mark
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
Scot P. Floess RHCT (Certificate Number 605010084735240)
Chief Architect FlossWare http://sourceforge.net/projects/flossware
http://flossware.sourceforge.net
https://github.com/organizations/FlossWare
More information about the CentOS
mailing list