selinux is a pain
Marcus D. Leech
mleech at ripnet.com
Tue Sep 20 20:01:40 UTC 2011
On 20/09/2011 3:57 PM, Martín Marqués wrote:
> 2
> I spoke with someone who works in HP (system administration) that told
> me they have SELinux disabled on the servers, as the overhead in
> administration is to high.
>
> I'd like to believe my problem is due to lack of selinux configuration
> knowledge, and not that it's useless.
It`s not that it`s useless.
It`s that in the *real world*, getting the immensely-complicated policy
machinery correct is next-to-impossible. And by correct, I mean
``provides security, and never causes unwanted failures of
applications``.
SELinux is extremely ornate, and even after all these years, you end up
running up against not-quite-right policy databases that cause you grief.
Once you`ve done a few of those, the temptation is to turn it off. A
properly-configured Linux server, even without SELinux, but with other
security features like firewalling turned on, is likely secure-enough
in many environments.
More information about the users
mailing list