Selinux

[Ed Greshko]

Tom Horsley wrote:
>
> OK, I can turn off selinux, and not get any of these errors, or
> I can leave selinux on, get errors, look at the troubleshoot report,
> and follow the instructions to enable the program that had problems
> to go ahead and do whatever nasty things selinux detected. All without
> doing the kind of massive code review required to prove that the nasty
> things are actually harmless in this particular program's case.
>
> So why isn't it much simpler and less trouble to just turn off
> selinux in the first place? I get the same level of security in the
> end, and much less hassle in the meantime :-).
>
>   
Of course that isn't quite true.  What you would have done is made the
decision to trust a single program.  You haven't disable the various
selinux protection schemes for other components.  In other words, you've
handed out a set of keys.  You've not unlocked and opened all the doors
and all the windows and turned off the alarm system.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20081130/57f61201/attachment-0001.sig>