Lamont R. Peterson wrote:
By no means is this limited to home users. I would say that the *vast*
majority of corporate admins just turn off SELinux. The story behind how &
why they learned to do that to begin with only vary in details. It's almost
always, "I had problems installing X or doing Y and I found a document on the
Internet that said that SELinux was in the way and didn't work right anyway
and was too complicated and didn't do me any good and that I couldn't learn
enough about it to even understand what was happening, let alone deal with
it, in less than a month and ... well, so I just turn off SELinux and then I
don't have to deal with it."
I think we might be aiming at the wrong target, especially in
the case of corporate admins. Target application developers,
not admins: applications must work without requiring any modification
to the system and adapt accordingly. Make modifications invalidate the
RHEL support contract: SELinux just helps you to nail down lazy
application developers. If the application means more money to the admin
than the support contract, he disables it *knowingly* and should the
need arise RH support engineers do rpm -Va, notice that something is
fishy, and the admin pays per incident or whatever the contract says. If
the admin does not like this, next time he'll complain to the
application vendor which will get his code, the actual culprit, fixed.
Davide Bolcioni
--
There is no place like /home.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
