running a consultancy business where time is money, tunring it off and configuring as we always did before represents the best technical solution and value for money for my clients. Those of you who work in big corporates or have time to experiment with every last detail of SELinux features in a lab by all means go and do it, here at the coal face its rather like offering options for window dressing while we are still building the shop front.... Turning it off stops all the junk filling up the logs and allows you to see the real stuff.....and is the best option for me and my clients, others may have different objectives, but my machines stay secure without it. Therefore I don't need it.... period... P. Paul Heinlein wrote: > On Thu, 17 Nov 2005, Lamar Owen wrote: > >> What is on-topic is the simple fact that CentOS ships with SELinux on >> by default; this is the way things are, whether you or I like it or >> not. I happen to like it; YMMV. I quite strongly disagree that the >> answer to SELinux problems should be 'turn it off' as this is the >> lazy way out. > > > That's a bit too declarative for my taste. It certainly could be the > lazy way out -- or it could be a sysadmin asking the honest question: > is it worth more to my organization *now* for me to spend X hours > figuring out SELinux policies or to spend those hours on a different > project. > > You and Lee both have valid points, and I appreciate the discussion. > I'd be hard-pressed, however, to deride the admin who chose to install > SELinux in permissive mode because s/he made an honest assessment that > the time was better spent elsewhere. > > It could be laziness. It could be priorities. From the cheap seats, > that assessment isn't mine to make. > > As for the machines under my care, most work fine in targeted mode. > For now, those few that don't get the permissive treatment because, > frankly, I don't have the luxury of telling my executive staff that > their priorities need to wait while I solve SELinux policy issues. >