From: mark@catseye.org (Mark Montague) Date: Thu, 17 Mar 2011 19:08:45 -0400 Subject: [refpolicy] Question: and the policy grows... In-Reply-To: <20110317202433.GA6695@siphos.be> References: <1300369855.30425.14.camel@tesla.lan> <4D8219D9.7080504@redhat.com> <1300377867.30425.40.camel@tesla.lan> <4D823A60.9020107@redhat.com> <1300390804.31755.6.camel@tesla.lan> <20110317202433.GA6695@siphos.be> Message-ID: <4D82947D.9010805@catseye.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On March 17, 2011 16:24 , Sven Vermeulen wrote: > It is a good thing that RedHat and other (commercial) distributions are > (starting to) offer SELinux-enabled systems by default. By integrating it > immediately (and not offering it as an "additional" option) they somewhat > force organizations to at least understand what it does or is supposed to > do. By having the non-commercial distributions focus on SELinux more and > more, this will also create awareness in the community. I agree that it is good that Red Hat and others are offering SELinux-enabled systems by default. However, I strongly disagree that this forces organizations to understand what SELinux does or is supposed to do: In all of the organizations in which I am personally involved (which includes a major research University), all of the system administrators I have met disable SELinux as the very first thing they do after installing the OS. Most of them disable SELinux without having any real understanding of what it does, and the reason they give, when asked, is because they want everything to "just work". When an AVC denial occurs, they don't even want to know what it means or why it occurs, the just know that "the AVC denial breaks their service" and disabling SELinux "fixes their service". A central security team mandating SELinux could help make headway at the organizations with whom I work, but I have not had a lot of luck with them either, as MAC solutions are simply not something they care about at this time, regardless of platform. -- Mark Montague mark at catseye.org