USB thumb drive question... SELinux .. on or off?

Rodolfo J. Paiz rpaiz at simpaticus.com
Thu Oct 14 15:33:05 UTC 2004 

On Wed, 2004-10-13 at 23:04 -0500, Jerone Young wrote:
> I think everyone is missing the point here.

Au contraire.

>  If I am an Average User I
> am not running an apache web server.

So SELinux shouldn't affect you at all, right?

>  Most people who are not in the
> security community have no idea what SELinux actually does.

I don't know what many of the Linux security mechanisms do, but I'm damn
grateful that they are there and that they protect me so much better
than Windows did.

> By having SELinux on by default you make simple problems turn
> into big problems that people do not understand.

You can then debug and improve these problems and make the system
better. However, by having security measures off by default you end up
with a Swiss-cheese operating system like Windows, and then you get
Nimda, Code Red, Melissa, and all sort of other neat things in your
computer.

Temporary teething problems and debugging? Or millions in losses due to
cracked computers, loss of data, denial of service, and other problems?

I'll take SELinux on by default, thank you very much.

> I hate to break it
> to you guys but most people are trying to use Linux as a Desktop &
> other uses that have nothing to do with apache.

Attempting to pass off a personal opinion as an obvious truth by
prepending "I hate to break it to you" does not work. Your statement is
entirely wrong, period.

"Most people" today are using Linux in servers, not desktops. We *want*
more people to use it in a desktop, but to argue that the majority of
Linux systems today are desktops is ridiculous.

> For those who know
> what SELinux is they will will simply flip on the on switch. But most
> people have no idea, and when it causes problems it just makes solving
> them worse.
> 

SELinux is more important for the protection of those who *don't* know
how to protect themselves. Those who do know something about security
will take two-dozen other measures to reduce their risk... those who
don't need the developers to protect them by making secure default
choices since they won't have the knowledge to make those choices
themselves.

In the final analysis, not only are you wrong but you are also spitting
upwind. Red Hat, Inc. has decided that SELinux will be in Red Hat
Enterprise's future. The Fedora development community, which also
happens to be strongly sponsored by Red Hat, Inc., has also decided to
integrate SELinux into Fedora Core. This *will* happen, whether or not
you attempt to argue against it.

And my personal opinion is that they've been doing a damn good job of
it, since I've had exactly *one* SELinux problem so far and it was
pretty easy to solve.

Cheers,

-- 
Rodolfo J. Paiz <rpaiz at simpaticus.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20041014/8062466d/attachment.bin

More information about the test mailing list