SELinux is actually obscure because I've not yet studied it (like most of us I think) that's why I'm disabling it for now. But it will be a necessary move just because it's a major evolution (as exploits are evolving equally). It's bringing new concepts and it may become as usual as the Unix rights are. I've played a little with GRsecurity kernel patch and found it as a good security enhancement for boxes who needed it and I'm happy to see that something "more standard" is coming as it should remove some complexity in the implementation process. Peter Farrow wrote: > Furthermore, why people believe adding complexity to a system "makes > it more secure" baffles me, > > We enter into the realms of "security by obscurity", and Bill Gates' > "bloat and crash ware" epitomises that.... > > > Peter Farrow wrote: > >> I agree Les, >> >> Selinux just adds bloat that we've managed without for many many years. >> >> Another layer of complexity to allow another layer of >> holes/backdoors/exploits. >> >> NOT NEEDED!!!! >> >> Regards >> >> Pete >> >> >> Les Mikesell wrote: >> >>> On Mon, 2005-11-14 at 05:04, Tony wrote: >>> >>> >>>> It always amazes me how quick people are to suggest that you just >>>> switch selinux off, without balancing the suggestion with an >>>> explanation of what they are losing by doing this. >>>> >>> >>> >>> >>> What you get without it is the well-understood unix permission >>> system that served everyone well for several decades. Exploits >>> involving buggy code have happened, but If we've learned anything >>> along the way it is that adding new and less-tested code to a >>> working system doesn't necessarily make it more secure. >>> >>> >>> >>>> Would you switch a firewall off because it keeps filling your log >>>> files up with packet info? An English expression involving babies and >>>> bathwater springs to mind ;-) >>>> >>> >>> >>> >>> I'd need some reason to think that the firewall code was >>> less likely to be exploited than the rest of the system it >>> is supposed to be protecting to consider it important. >>> >>> >>> >> >> _______________________________________________ >> CentOS mailing list >> CentOS@xxxxxxxxxx >> http://lists.centos.org/mailman/listinfo/centos > > > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos