Tom Horsley wrote: > > OK, I can turn off selinux, and not get any of these errors, or > I can leave selinux on, get errors, look at the troubleshoot report, > and follow the instructions to enable the program that had problems > to go ahead and do whatever nasty things selinux detected. All without > doing the kind of massive code review required to prove that the nasty > things are actually harmless in this particular program's case. > > So why isn't it much simpler and less trouble to just turn off > selinux in the first place? I get the same level of security in the > end, and much less hassle in the meantime :-). > > Of course that isn't quite true. What you would have done is made the decision to trust a single program. You haven't disable the various selinux protection schemes for other components. In other words, you've handed out a set of keys. You've not unlocked and opened all the doors and all the windows and turned off the alarm system.
Description: OpenPGP digital signature