I'd throw in to the mix - I have a lot of experience with *nix's - but limited time to learn things and must concentrate on what I need to know. I've never master SELinux and disable it - all the time. However, my needs are for my home network - which I administer. I have many hosts and quite a few VMs - but I don't think its worth my time nor effort to use SELinux. Am I lazy - yes. Do I care - no. Seems harsh what you said :( Maybe in a prod setting, you are correct - but chill :) This is a great mailing list...hate to see fighting or perceived fighting :( On Thu, 6 Dec 2012, m.roth@xxxxxxxxx wrote: > John R. Dennison wrote: >> On Thu, Dec 06, 2012 at 01:30:40PM -0600, Les Mikesell wrote: >>> >>> Sorry to burst your bubble here, but note that this is from a guy that >>> says he hasn't changed things in years. The 'normal' selinux >>> reaction to problems is not nonsense, just real life when you have a >>> bunch of people trying to do new things and a tool that is designed to >>> restrict them. >> >> Then let me sum this up thusly. If anyone is in the habit of managing >> systems with selinux set to disabled because "it's too hard" or "it >> takes too much time" or any number of other ridiculous excuses instead >> of learning to properly manage the systems with the tools and >> documentation provided then they need to reconsider their chosen career >> path as they are quite obviously not cut out for systems administration >> / engineering. >> >> I manage many, many hundreds of systems. Not a single one has selinux >> disabled. I have _no_ problems in doing so Does it take a little time >> to do it when first installing a package without a pre-packaged policy? >> Yes; and this is one reason you don't do this type of thing in a >> production environment. Is it less time than it takes to recover from a >> compromise. Yes; _many_ times less. > <snip> > The general CentOS mailing list: everyone's soapbox. > > We've got selinux on permissive on almost every system. Perhaps your boxes > are almost all production: most of ours are either dev or research. Even > the production boxes - most have websites or apps written by developers > with *zero* knowledge of selinux. > > And then there are the third-party apps like that... or from the Windows > world. For example, I've posted here in the past, and on the fedora > selinux list, fighting CA's SiteMinder (we won't talk about the piece of > crap that is, for which our tax dollars pay a *lot*), but it's *all* > guesswork and makedo to even keep that working, and making selinux active > would kill that most of the time, and we're *required* to use it. > > Must be nice, working in an environment that can enforce selinux. This > ain't it. > > mark > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > Scot P. Floess RHCT (Certificate Number 605010084735240) Chief Architect FlossWare http://sourceforge.net/projects/flossware http://flossware.sourceforge.net https://github.com/organizations/FlossWare _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos