[refpolicy] Question: and the policy grows...
Mark Montague
mark at catseye.org
Thu Mar 17 18:08:45 CDT 2011
On March 17, 2011 16:24 , Sven Vermeulen <sven.vermeulen at siphos.be> wrote:
> It is a good thing that RedHat and other (commercial) distributions are
> (starting to) offer SELinux-enabled systems by default. By integrating it
> immediately (and not offering it as an "additional" option) they somewhat
> force organizations to at least understand what it does or is supposed to
> do. By having the non-commercial distributions focus on SELinux more and
> more, this will also create awareness in the community.
I agree that it is good that Red Hat and others are offering
SELinux-enabled systems by default.
However, I strongly disagree that this forces organizations to
understand what SELinux does or is supposed to do: In all of the
organizations in which I am personally involved (which includes a major
research University), all of the system administrators I have met
disable SELinux as the very first thing they do after installing the
OS. Most of them disable SELinux without having any real understanding
of what it does, and the reason they give, when asked, is because they
want everything to "just work". When an AVC denial occurs, they don't
even want to know what it means or why it occurs, the just know that
"the AVC denial breaks their service" and disabling SELinux "fixes their
service".
A central security team mandating SELinux could help make headway at the
organizations with whom I work, but I have not had a lot of luck with
them either, as MAC solutions are simply not something they care about
at this time, regardless of platform.
--
Mark Montague
mark at catseye.org
More information about the refpolicy
mailing list