Servers get weird applications that don't come with SELinux contexts, weird placement of files, etc...
I rarely use anything on my laptops/desktop that isn't in the Fedora repos. On my servers, however, I have things like Oracle, Blackboard, dotCMS, an other apps that don't play nice -at all- with SELinux. Sure, fewer things change on a daily basis, but theres *far* more of a starting curve. Sent from my iPhone On Dec 3, 2010, at 8:48 AM, "[email protected]" <[email protected]> wrote: > i'm not saying I've succeeded in convincing people to let me run SELinux in > enforcing anywhere, but think about the argument you just made: > > "I've got it [SELinux] enabled on my desktop and laptops", which while > useful, aren't as ready of targets for hackers (we are talking Linux not > Windows).. Desk/laptop environments are also more broad and varied in > software that is run and the potential that you will run into SELinux > issues (such as jch's dropbox issue). > > "on my servers though...[i have it disabled]..." However most servers are > ready targets, with ports open and attractive to someone trying to break > in. Servers tend to have a stable software configuration and use cases, > leading to SELinux being easier to maintain in the long run since behavior > patterns aren't as likely to change constantly. Yes, easier by comparison, > and not saying its "easy". > > -greg > > [email protected] wrote on 12/03/2010 06:34:52 AM: > >> >> Right. I've got it enabled on my desktop and laptops. On servers > though... >> >> Sent from my iPhone >> >> On Dec 3, 2010, at 5:08 AM, "John Haxby" <[email protected]< >> mailto:[email protected]>> wrote: >> >> >> >> On 3 December 2010 00:59, Marti, Robert <<mailto:[email protected] >>> [email protected]<mailto:[email protected]>> wrote: >> SELinux scares people, to put it simply. Instead of fixing thinks to >> work with it, it gets disabled so no one has to deal with it. I'd >> rather fix it, but the normal complaint is lack of time to do it >> right. I normally set it to permissive mode and make a note to come >> back and address the issues later. So far later hasn't come. >> >> >> This is an argument I have sympathy with. >> >> However, just short of three years ago I decided enough was enough >> and I was going to get to grips with this thing on my laptop. So I >> left selinux enabled.when I installed whatever was the current >> Fedora at the time. >> >> As I recall, the only problem I had was with the web server I was >> running(*) Fixing that was a matter of ten minutes between me and >> google. Since that time I've picked up other selinux stuff >> incrementally — I'm far from being an expert but I'm not afraid of >> selinux any more and I can make use of it after a fashion. (Fedora >> 14 has a problem with some 32 bit apps and selinux but I can live >> without dropbox for the moment.) >> >> jch >> >> >> * yes, on a laptop: you have problem with that? :-) >> _______________________________________________ >> rhelv6-list mailing list >> [email protected]<mailto:[email protected]> >> https://www.redhat.com/mailman/listinfo/rhelv6-list >> >> _______________________________________________ >> rhelv6-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/rhelv6-list _______________________________________________ rhelv6-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv6-list
