How best get rid of SELinux?

[Tom Rivers]

Gene Heskett wrote:
> Questions that need answered _here_, where the whole list will read them are:
>
> Why do the supposed selinux functions, if 10,000% less important than a 
> firewall (my personal estimation anyway) seem to take 10,000 times more 
> maintenance than the far more important firewall?
>   

Hi Gene,

I'm no SELinux expert, but I think you may be wide of the mark with how 
you have phrased this question.  Firewalls and SELinux perform two 
different functions.  Take a typical web server for example.  The 
firewall will need to be changed to allow port 80 traffic through at a 
minimum.  In the case of an attacker who targets that web server, the 
firewall isn't going to do anything because the door has already been 
left wide open.  SELinux, however, will help prevent a hacked web server 
process from doing additional damage by limiting what it is allowed to 
do with the rest of the system.  What I'm trying to say is that I think 
you are comparing apples to oranges.

With respect to your point that firewalls are easier to configure than 
SELinux, I agree.  However, it makes sense that this is the case.  
Firewalls are merely gatekeepers.  Telling them to admit, restrict, or 
deny traffic isn't really that complex.  SELinux, on the other hand, 
deals with the entire OS and the many ways in which programs can 
interact with it.  In comparison, firewalls deal with a small subset of 
the number of entities SELinux does.

Could SELinux be more easy to configure and manage?  I hope so because I 
have had my fair share of issues with it.  Is it understandable that 
trying to consolidate every way in which every program can deal with 
every resource on a computer system is a difficult task?  I think so.  :)


Tom