On 11/14/05, Peter Farrow <peter@xxxxxxxxxxx> wrote:
> I agree Les,
>
> Selinux just adds bloat that we've managed without for many many years.
>
We used to manage just fine with telnet for many many years also, and
these days I wouldn't think of running accessing a machine via telnet.
If you don't change with the times, you're going to get steamrolled by
them.
> Another layer of complexity to allow another layer of
> holes/backdoors/exploits.
Given the organization who gave us selinux and their dire need for
security, I get the feeling it'll block many more problems that it
allows, just as ssh did.
> NOT NEEDED!!!!
>
I disagree. SELinux is going through growing pains, and it's not quite
to the point where I'd call it "user friendly", but it does a very
good job at seperating programs from areas of the system they don't
need to touch. I for one use it to protect users from themselves and
each other with cgi programs on web servers. selinux can provide a
very secure way to allow users to have cgis on their webspace without
staying up nights wondering if their code is going to kill something.
SELinux is currently a pain in the ass, but it's no more complicated
than say a sendmail config. We just need to learn it the same way we
learned sendmail. It's not for every environment YET. I would not
place it on a workstation, but on a webserver or some other system
with high levels of outside traffic.. yes.
--
Jim Perrin
System Architect - UIT
Ft Gordon & US Army Signal Center
