Selinux

[Russell Miller]

Tom Horsley wrote:
> So why isn't it much simpler and less trouble to just turn off
> selinux in the first place? I get the same level of security in the
> end, and much less hassle in the meantime :-).
>
> (Some days I feel like I should start the Linux Curmudgeon blog,
> but there is probably one out there already - I haven't looked).
>   
I think that there's little doubt that selinux is a good idea.  But it's 
only been recently that it worked well enough for me to actually leave 
it on, and even now I get AVC denial messages for stuff Fedora itself 
installs (got a few the other day when starting firefox on a *freshly 
upgraded* FC10 system.

This does strike me as a little sloppy.  If Fedora installs it, 
shouldn't Fedora set selinux to allow it?  Maybe I'm missing something...

I dunno.  Selinux has always struck me like a car alarm that gives you 
thirty seconds to enter in a 100 digit code.  Faced with that, it's no 
wonder people shut it down.

--Russell