Why do I need SELinux?
Craig White
craigwhite at azapple.com
Sat Feb 19 22:24:17 UTC 2005
On Sat, 2005-02-19 at 17:01 -0500, David Cary Hart wrote:
> On Sat, 2005-02-19 at 14:40 -0700, Craig White wrote:
> > On Sat, 2005-02-19 at 16:33 -0500, David Cary Hart wrote:
> >
> > >
> > > I know but every experiment on another machine has yielded unexpected
> > > results. It's on my list of TODOs (to fully understand SEL). One thing I
> > > have learned is NEVER to use what I don't fully understand. SELinux is
> > > like Talmudic study to me at this point.
> > ----
> > Why not admit
> > that you are afraid of creating extra work for yourself because you
> > don't understand it and find it easier just to shut it off?
> >
> OK. -;)
>
> Actually, it's not the work. I just recall making some "simple" changes
> in the past that cascaded to a server failure. Since it has no monitor
> nor keyboard and a very fussy SCSI RAID I am reluctant to mess with it.
>
> The vast majority of production linux servers run without SELinux.
----
that's likely to change
RHEL 4 uses SELinux and I would bet that other 2.6 kernel 'professional'
or 'stable' versions will likewise use it.
You have this uncanny habit of looking for reasons to justify why you
are avoiding to learn to cope with SELinux. It's your server and you can
do as you please. SELinux has a point - you certainly can opt out. I
will agree that it's easier and that ALL my servers are still running
2.4 kernel so I haven't had to grapple with it...yet.
Myself, I would hate to have to justify to a client of mine why I
disabled a basic security tool just because I didn't have the time or
capacity to understand it.
Craig
More information about the fedora-list
mailing list