How best get rid of SELinux?

[Tim]

On Fri, 2007-09-21 at 15:16 -0500, Mike McCarty wrote:
> Where I disagree with the supporters of SELinux is in the pervasive
> approach it uses to fixing compromise on my desktop machine. My
> preferred recovery is reload from backup. That has to be done
> regardless of whether SELinux was active at the time the compromise
> took place, and I see any potential added benefit from it is
> being FAR less than the actual defects that having the code
> on my machine introduces. 

And why not throw out the code that prevents others from reading files
without read permissions for the other users.  Surely that adds to the
bloat, too...  While you're at it, let's throw out the code that makes
me enter a password before trying to do something that needs root
priveleges.  That's bloat too.

SELinux may *prevent* a machine from getting compromised, in the first
place.  You keep on ignoring that.  Preventing a compromise is better
than picking up the pieces before hand.

SELinux, firewalls, and other protective measures are there to help
protect you against the exploits that you didn't know about at the time.

It, like anything else, may have a fault at some time, but that will get
fixed.  Just because *at one time* SELinux may have allowed something it
shouldn't isn't a reason to denigrate it forever more.  That's just
plain stupid.  Do you never use Apache, Firefox, Mozilla, Thunderbird,
or any other software, ever again, because someone found a fault with
them two years ago that has since been rectified?

-- 
[tim at bigblack ~]$ uname -ipr
2.6.22.5-76.fc7 i686 i386

Using FC 4, 5, 6 & 7, plus CentOS 5.  Today, it's FC7.

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.