On Thu, Dec 06, 2012 at 01:30:40PM -0600, Les Mikesell wrote: > > Sorry to burst your bubble here, but note that this is from a guy that > says he hasn't changed things in years. The 'normal' selinux > reaction to problems is not nonsense, just real life when you have a > bunch of people trying to do new things and a tool that is designed to > restrict them. Then let me sum this up thusly. If anyone is in the habit of managing systems with selinux set to disabled because "it's too hard" or "it takes too much time" or any number of other ridiculous excuses instead of learning to properly manage the systems with the tools and documentation provided then they need to reconsider their chosen career path as they are quite obviously not cut out for systems administration / engineering. I manage many, many hundreds of systems. Not a single one has selinux disabled. I have _no_ problems in doing so Does it take a little time to do it when first installing a package without a pre-packaged policy? Yes; and this is one reason you don't do this type of thing in a production environment. Is it less time than it takes to recover from a compromise. Yes; _many_ times less. So you'll kindly pardon me if I don't accept lame excuses or what I consider faulty reasoning as to why one would not have selinux set to enforcing on any given box. I also consider any advocacy for disabling security tools versus understanding them and learning to work with them quite out of place on this or any other technical list. People should really just know better. As I know you'll want to get the last work in, Les, let it be known I won't reply to this thread any longer. The original author has already shown his willingness to do things properly and you just want a soapbox and I won't give you one. John -- He may be mad, but there's method in his madness. There nearly always is method in madness. It's what drives men mad, being methodical. -- G. K. Chesterton, The Fad of the Fisherman (1922)
Attachment:
pgpcr94vGRJYw.pgp
Description: PGP signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
