All of lore.kernel.org
 help / color / mirror / Atom feed
From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Question: and the policy grows...
Date: Fri, 18 Mar 2011 11:19:52 +0100	[thread overview]
Message-ID: <4D8331C8.5090601@gmail.com> (raw)
In-Reply-To: <20110318060616.GA12690@siphos.be>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/18/2011 07:06 AM, Sven Vermeulen wrote:
> On Thu, Mar 17, 2011 at 07:08:45PM -0400, Mark Montague wrote:
>> However, I strongly disagree that this forces organizations to 
>> understand what SELinux does or is supposed to do:  In all of the 
>> organizations in which I am personally involved (which includes a major 
>> research University), all of the system administrators I have met 
>> disable SELinux as the very first thing they do after installing the 
>> OS.  Most of them disable SELinux without having any real understanding 
>> of what it does, and the reason they give, when asked, is because they 
>> want everything to "just work".  When an AVC denial occurs, they don't 
>> even want to know what it means or why it occurs, the just know that 
>> "the AVC denial breaks their service" and disabling SELinux "fixes their 
>> service".
> 
> True, but this is not because security (or SELinux) is boring, it is because
> it is considered hard (an expert field).
> 
> I hope that the amount of organizations that disable SELinux on first sight
> shrinks every day. In the organization I work, they considered SELinux
> during the intake of Linux and decided to continue with it, seeing that it
> is easier to disable it in exceptional circumstances than enable it in
> exceptional circumstances (think DMZ or other).

Good call in my view. That is also my reasoning for removing the
unconfined_domain by default. It is easier to put them in than it is to
remove them without breaking things.

> 
> Wkr,
> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2DMcgACgkQMlxVo39jgT9pmgCgxUXBwPtRx45hc5c8aZ9gToeT
2oYAn2TONszb8TLsSh+84fvsjX6UghNT
=R5ZU
-----END PGP SIGNATURE-----

  reply	other threads:[~2011-03-18 10:19 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-17 13:50 [refpolicy] Question: and the policy grows Guido Trentalancia
2011-03-17 14:25 ` Daniel J Walsh
2011-03-17 16:04   ` Guido Trentalancia
2011-03-17 16:44     ` Daniel J Walsh
2011-03-17 17:54       ` Christopher J. PeBenito
2011-03-17 18:34         ` Daniel J Walsh
2011-03-17 19:49           ` Daniel J Walsh
2011-03-18 13:30           ` Christopher J. PeBenito
2011-03-17 20:15         ` Guido Trentalancia
2011-03-18 13:35           ` Christopher J. PeBenito
2011-03-18 15:25             ` Guido Trentalancia
2011-03-17 19:40       ` Guido Trentalancia
2011-03-17 19:55         ` Daniel J Walsh
2011-03-17 20:27           ` Guido Trentalancia
2011-03-18 13:38             ` Christopher J. PeBenito
2011-03-17 20:24         ` Sven Vermeulen
2011-03-17 21:08           ` Guido Trentalancia
2011-03-17 21:34             ` Sven Vermeulen
2011-03-17 23:04               ` Guido Trentalancia
2011-03-18 13:52               ` Christopher J. PeBenito
2011-03-18 15:20                 ` Guido Trentalancia
2011-03-17 23:08           ` Mark Montague
2011-03-18  6:06             ` Sven Vermeulen
2011-03-18 10:19               ` Dominick Grift [this message]
2011-03-18 12:31               ` Guido Trentalancia
2011-03-17 22:56         ` Mark Montague
2011-03-18 10:12           ` Dominick Grift
2011-03-18 13:37           ` Stephen Smalley
2011-03-18 15:37           ` Dominick Grift
2011-03-17 23:24         ` SE Linux use - was: " Russell Coker
2011-03-18  0:33           ` Guido Trentalancia
2011-03-18  2:11           ` Jason Axelson
2011-03-18 13:23           ` James Carter
2011-03-18 14:33             ` Russell Coker
2011-03-18 14:57               ` Christopher J. PeBenito
2011-03-18 15:48                 ` Guido Trentalancia
2011-03-18 23:40                 ` Russell Coker
2011-03-18 15:45               ` Guido Trentalancia
2011-03-18 23:52                 ` Russell Coker
2011-03-19 14:37                   ` Guido Trentalancia
2011-03-18 14:08           ` Christopher J. PeBenito
2011-03-18 13:45         ` [refpolicy] " Christopher J. PeBenito
2011-03-18 15:09           ` Guido Trentalancia
2011-03-18 17:14           ` [refpolicy] dual mailing list (was Question: and the policy grows...) Guido Trentalancia
2011-03-18 18:40             ` Daniel J Walsh
2011-03-18 19:13               ` Guido Trentalancia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D8331C8.5090601@gmail.com \
    --to=domg472@gmail.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.