OSNews

"""
I dont see the problem with SElinux being on by default aslong as they have a well written "targeted" policy for things like servers and things users should never have to do.
"""

What's a user? I administer a lot of machines. And I have spent a substantial amount of time on problems caused by SELinux. For example, something as simple as creating a printer with the lpadmin command fails silently with no error message due to SELinux. (Doing it this way is necessary because many of the machines I admin are POS stations, which do not run a gui, and the creation of the printers is done by a script which runs after the install.) So you create a printer and it works just fine... until reboot. Then it just disappears. Or you install ntpd and it works just fine... until the next reboot. It's like it was never configured.

I have problems like this on the diverse set of machines that I admin *all the time*. It is *not* a rare event. Are these things that the user should never need to do?

Fortunately, I've gotten wise. Weird, inexplicable problem? No problem! Set SELinux to "Permissive". Wow! Now it works. So *now* I have time to do a basic security audit on this machine to double check that everything is reasonable, rather than spending half the afternoon trying to figure out how to fix this SELlinux-caused malfunction which was not a security vulnerability in the first place.

For those instances where such fine grained control is necessary, SELinux is invaluable. For the rest of us, it is a damned waste of time that keeps us from attending to more basic security strategies.

Edited 2007-10-21 17:34