How best get rid of SELinux?
Andrew Kelly
akelly at corisweb.org
Fri Sep 21 15:25:54 UTC 2007
On Fri, 2007-09-21 at 09:59 -0500, Mike McCarty wrote:
> Tim wrote:
> > On Thu, 2007-09-20 at 15:36 -0500, Mike McCarty wrote:
> >
> >>It's too bad that Red Hat has jumped on the SELinux bandwagon
> >>so wholeheartedly. That is, it is for those of us who don't like
> >>it, but want to use Red Hat products or projects.
> >
> >
> > One of the (almost) unsung benefits of it is to do with created
> > software.
> >
> > If the programmers use a system with SELinux, they're forced into
> > writing their software better. And we end up with software which
>
> They are forced into writing it SELinux aware. That is not
> part of my definition of "better".
>
> [snip]
>
> > On the other hand, without any SELinux, trying to make your system
> > secure, when you're using programs that the software authors had
> > free-range to do any old crap in the first place, is much more
> > difficult.
>
> I don't like to load and run crap. Do you?
> That's one reason I don't have SELinux enabled on the machines
> I administer. Not all of them are FC2, BTW.
>
> Note that SELinux does not attempt to make a machine more
> secure, except in a very general sense. It attempts to mitigate
> damage on a machine WHICH IS ALREADY COMPROMISED.
>
> It does little AFAICT to prevent compromise.
>
> Mike
Quick hit and run, here, before I call it a weekend...
My cousin is an auto mechanic and several years ago he said something
which you've just repeated in different terms.
We were arguing Air Bag vs Anti-Lock Braking System. He said given the
choice of only one, it would be insanity to take the AB.
I says,"Huh?".
He says, "Isn't it more important to avoid the accident in the first
place?"
Brilliant.
Of course the right choice is to have them both, but given the choice of
one, you're on the money IMO, Mike.
Andy
More information about the users
mailing list