[CentOS] courier mail for Centos

Thu Dec 6 19:56:16 UTC 2012
m.roth at 5-cent.us <m.roth at 5-cent.us>

John R. Dennison wrote:
> On Thu, Dec 06, 2012 at 01:30:40PM -0600, Les Mikesell wrote:
>> Sorry to burst your bubble here, but note that this is from a guy that
>> says he hasn't changed things in years.   The 'normal' selinux
>> reaction to problems is not nonsense, just real life when you have a
>> bunch of people trying to do new things and a tool that is designed to
>> restrict them.
> Then let me sum this up thusly.  If anyone is in the habit of managing
> systems with selinux set to disabled because "it's too hard" or "it
> takes too much time" or any number of other ridiculous excuses instead
> of learning to properly manage the systems with the tools and
> documentation provided then they need to reconsider their chosen career
> path as they are quite obviously not cut out for systems administration
> / engineering.
> I manage many, many hundreds of systems.  Not a single one has selinux
> disabled.  I have _no_ problems in doing so  Does it take a little time
> to do it when first installing a package without a pre-packaged policy?
> Yes; and this is one reason you don't do this type of thing in a
> production environment.  Is it less time than it takes to recover from a
> compromise.  Yes; _many_ times less.
The general CentOS mailing list: everyone's soapbox.

We've got selinux on permissive on almost every system. Perhaps your boxes
are almost all production: most of ours are either dev or research. Even
the production boxes - most have websites or apps written by developers
with *zero* knowledge of selinux.

And then there are the third-party apps like that... or from the Windows
world. For example, I've posted here in the past, and on the fedora
selinux list, fighting CA's SiteMinder (we won't talk about the piece of
crap that is, for which our tax dollars pay a *lot*), but it's *all*
guesswork and makedo to even keep that working, and making selinux active
would kill that most of the time, and we're *required* to use it.

Must be nice, working in an environment that can enforce selinux. This
ain't it.