No more selinux-policy-*-sources
Stephen J. Smoogen
smooge at gmail.com
Tue Mar 14 18:30:58 UTC 2006
On 3/14/06, Ralf Corsepius <rc040203 at freenet.de> wrote:
> On Tue, 2006-03-14 at 16:54 +0000, Andrew Haley wrote:
> > Stephen J. Smoogen writes:
> Finally, one fundamental problem, probably most users ask them
> themselves: Is coping with all the issues SELinux causes worth the
> effort, and does it really help the user?
>
> I guess, all Fedora users have been fighting with SELinux at some point
> in time, but probably nobody or at least very few have seen SELinux
> preventing damage from a system in real world installations.
>
I can say that is false. Yes, I had some problems, but instead of
turning it off I took the time to learn what it wanted. I have seen
several cases where the Selinux targeted rules in httpd stopped bad
stuff from happening where a hacker tried to dial home but couldnt. At
this point, I think turning off selinux is the equivalent of not using
shadow files and no firewall.
Yes Apache is complex and you can do tons of different things with
it... and you can not enumerate out of the box every type of thing you
can do with it.. However, just because you can do something doesnt
mean you should do it, and if you don't know what it is going to do..
then you are better off with the computer saying "sorry cant let that
happen" than "oh gee look my box has been a kiddie-porn repository for
the last 6 months"
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
More information about the devel
mailing list