selinux stuff - I just don't get

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 11/14/05, Peter Farrow <peter@xxxxxxxxxxx> wrote:
> I agree Les,
>
> Selinux just adds bloat that we've managed without for many many years.
>

We used to manage just fine with telnet for many many years also, and
these days I wouldn't think of running accessing a machine via telnet.
If you don't change with the times, you're going to get steamrolled by
them.

> Another layer of complexity to allow another layer of
> holes/backdoors/exploits.

Given the organization who gave us selinux and their dire need for
security, I get the feeling it'll block many more problems that it
allows, just as ssh did.



> NOT NEEDED!!!!
>

I disagree. SELinux is going through growing pains, and it's not quite
to the point where I'd call it "user friendly", but it does a very
good job at seperating programs from areas of the system they don't
need to touch. I for one use it to protect users from themselves and
each other with cgi programs on web servers. selinux can provide a
very secure way to allow users to have cgis on their webspace without
staying up nights wondering if their code is going to kill something.
SELinux is currently a pain in the ass, but it's no more complicated
than say a sendmail config. We just need to learn it the same way we
learned sendmail. It's not for every environment YET. I would not
place it on a workstation, but on a webserver or some other system
with high levels of outside traffic.. yes.




--
Jim Perrin
System Architect - UIT
Ft Gordon & US Army Signal Center

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux