From: guido@trentalancia.com (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Question: and the policy grows...
Date: Fri, 18 Mar 2011 13:31:19 +0100 [thread overview]
Message-ID: <1300451479.3053.7.camel@tesla.lan> (raw)
In-Reply-To: <20110318060616.GA12690@siphos.be>
On Fri, 18/03/2011 at 07.06 +0100, Sven Vermeulen wrote:
> On Thu, Mar 17, 2011 at 07:08:45PM -0400, Mark Montague wrote:
> > However, I strongly disagree that this forces organizations to
> > understand what SELinux does or is supposed to do: In all of the
> > organizations in which I am personally involved (which includes a major
> > research University), all of the system administrators I have met
> > disable SELinux as the very first thing they do after installing the
> > OS. Most of them disable SELinux without having any real understanding
> > of what it does, and the reason they give, when asked, is because they
> > want everything to "just work". When an AVC denial occurs, they don't
> > even want to know what it means or why it occurs, the just know that
> > "the AVC denial breaks their service" and disabling SELinux "fixes their
> > service".
>
> True, but this is not because security (or SELinux) is boring, it is because
> it is considered hard (an expert field).
No, not necessarily, at least in my experience and I am going to explain
why. There are close relatives and close friends of mine that are
professionals (store large amount of sensitive details of customers and
other sensitive and important information) and that when offered
security advice for free on a Sunday afternoon refused it with arguments
similar to the one that I already mentioned for preventive medicine.
This is a general issue with computer security, as the above does not
necessarily refer to Linux.
> I hope that the amount of organizations that disable SELinux on first sight
> shrinks every day. In the organization I work, they considered SELinux
> during the intake of Linux and decided to continue with it, seeing that it
> is easier to disable it in exceptional circumstances than enable it in
> exceptional circumstances (think DMZ or other).
But once again discussing this is outside of the scope of my original
message. Russel Coker has opened a new thread on that on the SELinux
mailing list.
Regards,
Guido
next prev parent reply other threads:[~2011-03-18 12:31 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-17 13:50 [refpolicy] Question: and the policy grows Guido Trentalancia
2011-03-17 14:25 ` Daniel J Walsh
2011-03-17 16:04 ` Guido Trentalancia
2011-03-17 16:44 ` Daniel J Walsh
2011-03-17 17:54 ` Christopher J. PeBenito
2011-03-17 18:34 ` Daniel J Walsh
2011-03-17 19:49 ` Daniel J Walsh
2011-03-18 13:30 ` Christopher J. PeBenito
2011-03-17 20:15 ` Guido Trentalancia
2011-03-18 13:35 ` Christopher J. PeBenito
2011-03-18 15:25 ` Guido Trentalancia
2011-03-17 19:40 ` Guido Trentalancia
2011-03-17 19:55 ` Daniel J Walsh
2011-03-17 20:27 ` Guido Trentalancia
2011-03-18 13:38 ` Christopher J. PeBenito
2011-03-17 20:24 ` Sven Vermeulen
2011-03-17 21:08 ` Guido Trentalancia
2011-03-17 21:34 ` Sven Vermeulen
2011-03-17 23:04 ` Guido Trentalancia
2011-03-18 13:52 ` Christopher J. PeBenito
2011-03-18 15:20 ` Guido Trentalancia
2011-03-17 23:08 ` Mark Montague
2011-03-18 6:06 ` Sven Vermeulen
2011-03-18 10:19 ` Dominick Grift
2011-03-18 12:31 ` Guido Trentalancia [this message]
2011-03-17 22:56 ` Mark Montague
2011-03-18 10:12 ` Dominick Grift
2011-03-18 13:37 ` Stephen Smalley
2011-03-18 15:37 ` Dominick Grift
2011-03-17 23:24 ` SE Linux use - was: " Russell Coker
2011-03-18 0:33 ` Guido Trentalancia
2011-03-18 2:11 ` Jason Axelson
2011-03-18 13:23 ` James Carter
2011-03-18 14:33 ` Russell Coker
2011-03-18 14:57 ` Christopher J. PeBenito
2011-03-18 15:48 ` Guido Trentalancia
2011-03-18 23:40 ` Russell Coker
2011-03-18 15:45 ` Guido Trentalancia
2011-03-18 23:52 ` Russell Coker
2011-03-19 14:37 ` Guido Trentalancia
2011-03-18 14:08 ` Christopher J. PeBenito
2011-03-18 13:45 ` [refpolicy] " Christopher J. PeBenito
2011-03-18 15:09 ` Guido Trentalancia
2011-03-18 17:14 ` [refpolicy] dual mailing list (was Question: and the policy grows...) Guido Trentalancia
2011-03-18 18:40 ` Daniel J Walsh
2011-03-18 19:13 ` Guido Trentalancia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1300451479.3053.7.camel@tesla.lan \
--to=guido@trentalancia.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.