How best get rid of SELinux?
Arthur Pemberton
pemboa at gmail.com
Fri Sep 21 15:45:38 UTC 2007
On 9/21/07, Andrew Kelly <akelly at corisweb.org> wrote:
> On Fri, 2007-09-21 at 09:59 -0500, Mike McCarty wrote:
> > Tim wrote:
> > > On Thu, 2007-09-20 at 15:36 -0500, Mike McCarty wrote:
> > >
> > >>It's too bad that Red Hat has jumped on the SELinux bandwagon
> > >>so wholeheartedly. That is, it is for those of us who don't like
> > >>it, but want to use Red Hat products or projects.
> > >
> > >
> > > One of the (almost) unsung benefits of it is to do with created
> > > software.
> > >
> > > If the programmers use a system with SELinux, they're forced into
> > > writing their software better. And we end up with software which
> >
> > They are forced into writing it SELinux aware. That is not
> > part of my definition of "better".
> >
> > [snip]
> >
> > > On the other hand, without any SELinux, trying to make your system
> > > secure, when you're using programs that the software authors had
> > > free-range to do any old crap in the first place, is much more
> > > difficult.
> >
> > I don't like to load and run crap. Do you?
> > That's one reason I don't have SELinux enabled on the machines
> > I administer. Not all of them are FC2, BTW.
> >
> > Note that SELinux does not attempt to make a machine more
> > secure, except in a very general sense. It attempts to mitigate
> > damage on a machine WHICH IS ALREADY COMPROMISED.
> >
> > It does little AFAICT to prevent compromise.
> >
> > Mike
>
>
> Quick hit and run, here, before I call it a weekend...
>
> My cousin is an auto mechanic and several years ago he said something
> which you've just repeated in different terms.
>
> We were arguing Air Bag vs Anti-Lock Braking System. He said given the
> choice of only one, it would be insanity to take the AB.
> I says,"Huh?".
> He says, "Isn't it more important to avoid the accident in the first
> place?"
>
> Brilliant.
>
> Of course the right choice is to have them both, but given the choice of
> one, you're on the money IMO, Mike.
>
> Andy
Why would someone have to choose only one?
--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )
More information about the fedora-list
mailing list