SELinux should be off by default in FC3
David Hollis
dhollis at davehollis.com
Thu Oct 7 16:40:19 UTC 2004
On Thu, 2004-10-07 at 08:41 -0700, Nathan Grennan wrote:
> I think overall it what it comes down to is that SELinux micro-manages
> security way too much. SELinux's level of security might be suitable in
> some situations, but will be too much of a burden in most situations.
>
Not to put SELinux in bad company, but the level of security provided by
SELinux is very similar to what is provided by the Windows NT/XP
security system and that doesn't seem to bother people too much. Of
course, MS essentially turns it off to prevent that!
I think the crux of this thread is that there are likely to be cases
(especially short-term) where SELinux poses a burden. While some of
these cases may be reasonably common (hosting customers FTP-ing up
files, etc), I really don't think they justify disabling SELinux as a
whole out-of-the-box. If RH was to do that, they might as well stop
spending any time developing SELinux and all of us Fedora users might as
well stick with the standard UNIX security system. If you find that
SELinux doesn't work in your environment due to various reasons, it is
quite easy to disable it though a much better alternative would be to
work with the RH folks to get it to work properly in your environment.
And don't forget - that may mean changing some of YOUR practices to make
it work.
--
David Hollis <dhollis at davehollis.com>
More information about the fedora-devel-list
mailing list