On Sat, Jan 07, 2012 at 05:39:15AM -0800, Bennett Haselton wrote: > > What you think people "should" know is a matter of opinion. However, > complaining about what people "should" know, usually doesn't do any > good, and that's an empirical fact, not an opinion. I'm not complaining. I'm pointing out that anyone that doesn't take full advantage of every security technology at their disposal, in this case limited in scope to selinux and selinux only, (so please stop going off on tangents about AV and historical issues, please) deserve whatever they get as a result of what boils down to nothing more than simple laziness. > Apparently the marketplace favors hosting companies turning SELinux off > because the failures it causes are too obscure and it causes too many > support headaches. Well, tough cookies. This is in no way justification for crappy security practices. In fact this is pure nonsense. Laziness in not caring to learn the systems you work with is never justification for anything. Hosting companies can trivially put together a set of documentation to point users at; even if that documentation provides nothing more than a set of links other, properly-maintained, documentation available on the net such as that provided by TUV, that provided by CentOS, that provided by fedora which is still applicable in many instances, etc. If they did so their customers would have a place to go to read up on that which you claim to be a "support headache". Admins, in 2012, have _no excuse_ not to know selinux basics. People need to start becoming responsible. Perhaps if the aforementioned boycott would take place irresponsible hosting companies might realize that something needed to change from looking at their bottom-line. If these companies had any marketing skills worth spit they'd take advantage of the fact that they provision with selinux enabled and enforced and spin it in their favor. I'm truly sick of the "*cry* selinux makes things _hard_ *cry*" whining from not only users but hosting providers and alleged "administrators" that are, at the root of it, too lazy to figure out how to properly use selinux and similar technologies. I'm not a rocket scientist and yet _I_ have no issues figuring it out. If _I_ can do it, pretty much anyone else can as well. > A non-changing-human-nature solution might be to > notify the user directly when SELinux blocks something. The GUI > apparently already does this via a dialog box when viewing a desktop; > perhaps there's a way to do it on the command line too. (When the user > runs something that's blocked by SELinux, just send a message to the > terminal saying "SELinux blocked this", or something. Would be a start.) setroubleshootd can already do this via email to the configured target address(s). Again, a simple matter of reading the available documentation may have made this clear. > Nobody else was trimming. When in Rome :) (By definition, a > quoted-quoted-quoted message can only keep getting longer if nobody else > is trimming either.) I'm close to chalking this up to a form of laziness as well. Editors are, after all, _hard_ to use properly :) John -- Life is like a game of cards. The hand that is dealt you represents determinism; the way you play it is free will. -- Jawaharlal Nehru -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20120107/1a9c02d1/attachment-0005.sig>