Keeping SELinux on (was Attention: Proprietary video driver users (ATI, Nvidia, etc.))

[Davide Bolcioni]

Lamont R. Peterson wrote:

> By no means is this limited to home users.  I would say that the *vast* 
> majority of corporate admins just turn off SELinux.  The story behind how & 
> why they learned to do that to begin with only vary in details.  It's almost 
> always, "I had problems installing X or doing Y and I found a document on the 
> Internet that said that SELinux was in the way and didn't work right anyway 
> and was too complicated and didn't do me any good and that I couldn't learn 
> enough about it to even understand what was happening, let alone deal with 
> it, in less than a month and ... well, so I just turn off SELinux and then I 
> don't have to deal with it."

I think we might be aiming at the wrong target, especially in
the case of corporate admins. Target application developers,
not admins: applications must work without requiring any modification
to the system and adapt accordingly. Make modifications invalidate the
RHEL support contract: SELinux just helps you to nail down lazy
application developers. If the application means more money to the admin
than the support contract, he disables it *knowingly* and should the
need arise RH support engineers do rpm -Va, notice that something is 
fishy, and the admin pays per incident or whatever the contract says. If 
the admin does not like this, next time he'll complain to the 
application vendor which will get his code, the actual culprit, fixed.

Davide Bolcioni
-- 
There is no place like /home.