How best get rid of SELinux?

[Arthur Pemberton]

On 9/21/07, Mike McCarty <Mike.McCarty at sbcglobal.net> wrote:
> Arthur Pemberton wrote:
> > On 9/21/07, Gene Heskett <gene.heskett at verizon.net> wrote:
> >
> >>On Friday 21 September 2007, Ed Greshko wrote:
> >>
> >>>Gene Heskett wrote:
> >>>
> >>>>I have a firewall that has so far been bulletproof.  Its called dd-wrt,
> >>>>run on an old scrap x86 box, booting busybox from a cf card, no drives in
> >>>>it & only 2 fans.
> >>>
> >>>I'm not sure why you are comparing the functions of SELinux with the
> >>>functions of a firewall.  It would be nice to hear your interpretation of
> >>>the issues that SELinux targets v.s. what a Firewall targets.  If you think
> >>>they serve the same functions it would be nice if you would cite your
> >>>source.
> >>
> >>Several people have referred to 'that hacker' getting into the system, which
> >>is how I at least made the connection to a firewall.
> >
> >
> > So you're firewalls are capable of protecting against 'that hacker'
> > who _is_ on your box, ie. has gotten past your firewall somehow -
> > getting past a firewall is by no means an impossible task
>
> No. But my backups are the appropriate response to a compromised
> system, not SELinux.


So you're still missing the point that SELinux can prevent the system
from being compromised.

> > I have several machines with SELinux disabled, and I see no messages from it.
>
> Then you belive that at least in some circumstances SELinux has a
> greater cost than it does a benefit. We agree on that. How about
> allowing those who find themselves in that circumstance the lattitude
> of not loading and running SELinux at all?

So disable it. Is that so hard? If you disable, it doesn't run.

> >>Its a 'solution' looking for a 'problem' and if it can't find a problem, it
> >>will make 10 problems just for spite.
> >
> >
> > It solves problems for me, if you do not share this, that is
> > understandable. But it does infact solve problems.
>
> Though I didn't see you list one problem SELinux solved for you,
> I'm not going to argue your personal assessment that the perceived
> cost of SELinux to you (on some of your machines) outweighs the
> perceived benefit (or rather the utility functions associated
> with the perceived costs, when weighed by the probabilities you assigned
> to your outcome space), since that is a personal matter.

Well I didn't intend on playing story telling time. But SELinux as
prevented me from being rooted at least once.

> What I don't like is RH thinking it knows better than I do what I
> need in the way of security software.

If they thought they knew better, they wouldn't make it possible to disable it.

-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )