Re: How best get rid of SELinux?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> that the disadvantages far outweigh the advantages. There are
> exactly three users which can actually log on to my machine:

You hope...

> It appears to me that RH is courting large corporate or government
> users where political considerations and the ability to dodge
> responsibility are important, rather than stand-alone small desktop
> systems with single or just a very few actual users.

SELinux is useful in both cases. Large corporations may well use custom
rules to protect critical data or enforce policies (eg 'no you can't run
anything you download').

In the general case its there to protect all systems and users by doing
its best to divide up the different aspects of a machine and make it very
hard to use one part of the system to break another and build a chain of
steps ending in compromise. The number of official users of a box is
really irrelevant, and to a large extent so is the data on it. A
compromised box gets used for spamming, attacking other hosts and more.
Insecure systems are antisocial regardless of whether their owner is
inconvenienced.

I don't doubt plenty of people on this who don't run SELinux do run a
tight ship, do check for compromises and don't run leave compromised
machines on the net. There are however plenty of people who are sloppy,
or simply don't have the skill needed to run the box properly - and thats
one good reason for defaulting firewalls and selinux on - to ship a
default level of security appropriate to external risk. Allowing users to
turn off security is generally better than assuming they will read the
manual and turn it on.
 
> I think it would be better if they had the option simply not
> to install.

Its a bit like asking for a car to come with automatic or manual
transmission. It isn't a last minute extra you fit like a headrest its
intrinsic to the very build of the system.

There are sound engineering reasons why "rpm -e selinux" isn't doable (or
believe me we'd have done it that way!)

Alan

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux