i'm not saying I've succeeded in convincing people to let me run SELinux in enforcing anywhere, but think about the argument you just made:
"I've got it [SELinux] enabled on my desktop and laptops", which while useful, aren't as ready of targets for hackers (we are talking Linux not Windows).. Desk/laptop environments are also more broad and varied in software that is run and the potential that you will run into SELinux issues (such as jch's dropbox issue). "on my servers though...[i have it disabled]..." However most servers are ready targets, with ports open and attractive to someone trying to break in. Servers tend to have a stable software configuration and use cases, leading to SELinux being easier to maintain in the long run since behavior patterns aren't as likely to change constantly. Yes, easier by comparison, and not saying its "easy". -greg [email protected] wrote on 12/03/2010 06:34:52 AM: > > Right. I've got it enabled on my desktop and laptops. On servers though... > > Sent from my iPhone > > On Dec 3, 2010, at 5:08 AM, "John Haxby" <[email protected]< > mailto:[email protected]>> wrote: > > > > On 3 December 2010 00:59, Marti, Robert <<mailto:[email protected] > >[email protected]<mailto:[email protected]>> wrote: > SELinux scares people, to put it simply. Instead of fixing thinks to > work with it, it gets disabled so no one has to deal with it. I'd > rather fix it, but the normal complaint is lack of time to do it > right. I normally set it to permissive mode and make a note to come > back and address the issues later. So far later hasn't come. > > > This is an argument I have sympathy with. > > However, just short of three years ago I decided enough was enough > and I was going to get to grips with this thing on my laptop. So I > left selinux enabled.when I installed whatever was the current > Fedora at the time. > > As I recall, the only problem I had was with the web server I was > running(*) Fixing that was a matter of ten minutes between me and > google. Since that time I've picked up other selinux stuff > incrementally — I'm far from being an expert but I'm not afraid of > selinux any more and I can make use of it after a fashion. (Fedora > 14 has a problem with some 32 bit apps and selinux but I can live > without dropbox for the moment.) > > jch > > > * yes, on a laptop: you have problem with that? :-) > _______________________________________________ > rhelv6-list mailing list > [email protected]<mailto:[email protected]> > https://www.redhat.com/mailman/listinfo/rhelv6-list > > _______________________________________________ > rhelv6-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv6-list _______________________________________________ rhelv6-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv6-list
