|| ||Alan Cox <alan-AT-lxorguk.ukuu.org.uk>|
|| ||For users of Fedora <fedora-list-AT-redhat.com>|
|| ||Re: How best get rid of SELinux?|
|| ||Mon, 24 Sep 2007 22:08:19 +0100|
> that the disadvantages far outweigh the advantages. There are
> exactly three users which can actually log on to my machine:
> It appears to me that RH is courting large corporate or government
> users where political considerations and the ability to dodge
> responsibility are important, rather than stand-alone small desktop
> systems with single or just a very few actual users.
SELinux is useful in both cases. Large corporations may well use custom
rules to protect critical data or enforce policies (eg 'no you can't run
anything you download').
In the general case its there to protect all systems and users by doing
its best to divide up the different aspects of a machine and make it very
hard to use one part of the system to break another and build a chain of
steps ending in compromise. The number of official users of a box is
really irrelevant, and to a large extent so is the data on it. A
compromised box gets used for spamming, attacking other hosts and more.
Insecure systems are antisocial regardless of whether their owner is
I don't doubt plenty of people on this who don't run SELinux do run a
tight ship, do check for compromises and don't run leave compromised
machines on the net. There are however plenty of people who are sloppy,
or simply don't have the skill needed to run the box properly - and thats
one good reason for defaulting firewalls and selinux on - to ship a
default level of security appropriate to external risk. Allowing users to
turn off security is generally better than assuming they will read the
manual and turn it on.
> I think it would be better if they had the option simply not
> to install.
Its a bit like asking for a car to come with automatic or manual
transmission. It isn't a last minute extra you fit like a headrest its
intrinsic to the very build of the system.
There are sound engineering reasons why "rpm -e selinux" isn't doable (or
believe me we'd have done it that way!)
fedora-list mailing list
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
to post comments)