Obviously a server is likely to have more than just an out of the box configuration.
But anyways... if i remember correctly, wasn't one of the changes in the RHEL6 SELinux the ability to section off where SELinux is enforcing versus not, so that it isn't an all or nothing thing? -greg "Marti, Robert" <[email protected]> wrote on 12/03/2010 09:31:55 AM: > Servers get weird applications that don't come with SELinux > contexts, weird placement of files, etc... > > I rarely use anything on my laptops/desktop that isn't in the Fedora > repos. On my servers, however, I have things like Oracle, > Blackboard, dotCMS, an other apps that don't play nice -at all- with > SELinux. Sure, fewer things change on a daily basis, but theres > *far* more of a starting curve. > > Sent from my iPhone > > On Dec 3, 2010, at 8:48 AM, "[email protected]" > <[email protected]> wrote: > > > i'm not saying I've succeeded in convincing people to let me run SELinux in > > enforcing anywhere, but think about the argument you just made: > > > > "I've got it [SELinux] enabled on my desktop and laptops", which while > > useful, aren't as ready of targets for hackers (we are talking Linux not > > Windows).. Desk/laptop environments are also more broad and varied in > > software that is run and the potential that you will run into SELinux > > issues (such as jch's dropbox issue). > > > > "on my servers though...[i have it disabled]..." However most servers are > > ready targets, with ports open and attractive to someone trying to break > > in. Servers tend to have a stable software configuration and use cases, > > leading to SELinux being easier to maintain in the long run since behavior > > patterns aren't as likely to change constantly. Yes, easier by comparison, > > and not saying its "easy". > > > > -greg > > > > [email protected] wrote on 12/03/2010 06:34:52 AM: > > > >> > >> Right. I've got it enabled on my desktop and laptops. On servers > > though... > >> > >> Sent from my iPhone > >> > >> On Dec 3, 2010, at 5:08 AM, "John Haxby" <[email protected]< > >> mailto:[email protected]>> wrote: > >> > >> > >> > >> On 3 December 2010 00:59, Marti, Robert <<mailto:[email protected] > >>> [email protected]<mailto:[email protected]>> wrote: > >> SELinux scares people, to put it simply. Instead of fixing thinks to > >> work with it, it gets disabled so no one has to deal with it. I'd > >> rather fix it, but the normal complaint is lack of time to do it > >> right. I normally set it to permissive mode and make a note to come > >> back and address the issues later. So far later hasn't come. > >> > >> > >> This is an argument I have sympathy with. > >> > >> However, just short of three years ago I decided enough was enough > >> and I was going to get to grips with this thing on my laptop. So I > >> left selinux enabled.when I installed whatever was the current > >> Fedora at the time. > >> > >> As I recall, the only problem I had was with the web server I was > >> running(*) Fixing that was a matter of ten minutes between me and > >> google. Since that time I've picked up other selinux stuff > >> incrementally — I'm far from being an expert but I'm not afraid of > >> selinux any more and I can make use of it after a fashion. (Fedora > >> 14 has a problem with some 32 bit apps and selinux but I can live > >> without dropbox for the moment.) > >> > >> jch > >> > >> > >> * yes, on a laptop: you have problem with that? :-) > >> _______________________________________________ > >> rhelv6-list mailing list > >> [email protected]<mailto:[email protected]> > >> https://www.redhat.com/mailman/listinfo/rhelv6-list > >> > >> _______________________________________________ > >> rhelv6-list mailing list > >> [email protected] > >> https://www.redhat.com/mailman/listinfo/rhelv6-list _______________________________________________ rhelv6-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv6-list
