From: domg472@gmail.com (Dominick Grift) Date: Fri, 18 Mar 2011 11:19:52 +0100 Subject: [refpolicy] Question: and the policy grows... In-Reply-To: <20110318060616.GA12690@siphos.be> References: <1300369855.30425.14.camel@tesla.lan> <4D8219D9.7080504@redhat.com> <1300377867.30425.40.camel@tesla.lan> <4D823A60.9020107@redhat.com> <1300390804.31755.6.camel@tesla.lan> <20110317202433.GA6695@siphos.be> <4D82947D.9010805@catseye.org> <20110318060616.GA12690@siphos.be> Message-ID: <4D8331C8.5090601@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/18/2011 07:06 AM, Sven Vermeulen wrote: > On Thu, Mar 17, 2011 at 07:08:45PM -0400, Mark Montague wrote: >> However, I strongly disagree that this forces organizations to >> understand what SELinux does or is supposed to do: In all of the >> organizations in which I am personally involved (which includes a major >> research University), all of the system administrators I have met >> disable SELinux as the very first thing they do after installing the >> OS. Most of them disable SELinux without having any real understanding >> of what it does, and the reason they give, when asked, is because they >> want everything to "just work". When an AVC denial occurs, they don't >> even want to know what it means or why it occurs, the just know that >> "the AVC denial breaks their service" and disabling SELinux "fixes their >> service". > > True, but this is not because security (or SELinux) is boring, it is because > it is considered hard (an expert field). > > I hope that the amount of organizations that disable SELinux on first sight > shrinks every day. In the organization I work, they considered SELinux > during the intake of Linux and decided to continue with it, seeing that it > is easier to disable it in exceptional circumstances than enable it in > exceptional circumstances (think DMZ or other). Good call in my view. That is also my reasoning for removing the unconfined_domain by default. It is easier to put them in than it is to remove them without breaking things. > > Wkr, > Sven Vermeulen > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2DMcgACgkQMlxVo39jgT9pmgCgxUXBwPtRx45hc5c8aZ9gToeT 2oYAn2TONszb8TLsSh+84fvsjX6UghNT =R5ZU -----END PGP SIGNATURE-----