On 3/14/06, Ralf Corsepius <rc040203@xxxxxxxxxx> wrote: > On Tue, 2006-03-14 at 16:54 +0000, Andrew Haley wrote: > > Stephen J. Smoogen writes: > Finally, one fundamental problem, probably most users ask them > themselves: Is coping with all the issues SELinux causes worth the > effort, and does it really help the user? > > I guess, all Fedora users have been fighting with SELinux at some point > in time, but probably nobody or at least very few have seen SELinux > preventing damage from a system in real world installations. > I can say that is false. Yes, I had some problems, but instead of turning it off I took the time to learn what it wanted. I have seen several cases where the Selinux targeted rules in httpd stopped bad stuff from happening where a hacker tried to dial home but couldnt. At this point, I think turning off selinux is the equivalent of not using shadow files and no firewall. Yes Apache is complex and you can do tons of different things with it... and you can not enumerate out of the box every type of thing you can do with it.. However, just because you can do something doesnt mean you should do it, and if you don't know what it is going to do.. then you are better off with the computer saying "sorry cant let that happen" than "oh gee look my box has been a kiddie-porn repository for the last 6 months" -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
