SElinux
Eugen Leitl
eugen at leitl.org
Mon Apr 3 07:21:56 UTC 2006
On Sun, Apr 02, 2006 at 08:08:42PM -0300, Jacques B. wrote:
> > I see your point - that there are levels of system
> > administrators...those that invest the time and energy into obtaining
> > the knowledge necessary to maintain their systems and those that rely on
Dude, it's a trade off. Is the time worth the added security?
> > point and click tools and where lacking the point and click tools and
> > the knowledge, opt out for expedience.
Where did "point and click" come from?
> > I agree that many opt out for expedience...too bad. Something inside
> > tells me that many of these people chide Windows systems for a lack of
> > security but I digress.
You're making some leaps in reasoning here.
> I'm not a sysadmin (but hope to develop my skills and become one in my
> next life). But I can see why a sysadmin would want a user friendly
> interface and abundant (and clear) documentation to manage all aspects
> of SELinux. I can imagine that many sysadmins are quite busy as it
> is. Trying to wrap their heads around SELinux may be a challenge.
> Certainly not rolling out security features for a customer could come
> back and bit us. But also not being able to maintain the customer's
> system running smoothly (or can't get certain parts working at all)
> without investing more time than is available in a day is no doubt not
> an option for some sysadmins. And if the downed system is costing the
> customer considerable loss of revenue then getting it up and running
> ASAP may be the first priority, not getting it up and running with
> maxium security features implemented. Security is an afterthough in
> some cases, and of lesser concern unless it impacts the bottom line.
> I suspect not many sales managers would tell you to take an extra 1/2
> day or longer to trouble shoot an application issue before resuming
> online sales if it can be resolved in a matter of seconds by simply
> disabling that application. Risks vs benefits as it relates to the
> bottom line.
>
> I may be totally off the mark here. But that's my best guess at what
> some sysadmins are likely dealing with and why mastering SELinux is
> not a priority for them (or more accurately for their company).
SELinux has no business running on a user desktop (=kitchensink)
if the policy is not well maintained. Things like RSBAC/grsecurity/SELinux+PaX
can be useful on a server.
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060403/5ca0db6c/attachment-0001.sig>
More information about the fedora-list
mailing list