On Tue, 2006-11-28 at 01:21 -0500, Gene Heskett wrote: > On Tuesday 28 November 2006 00:32, Tim wrote: > >On Mon, 2006-11-27 at 23:13 -0500, Gene Heskett wrote: > >> Now get this! I just totally disabled selinux (It was set permissive) > >> and cron runs my script. WTF? > > > >There's been a few examples where running SELinux in permissive mode has > >been found to still restrict things, looks like you found another. > > > I guess so Tim. How can I go about ripping it out totally? To me, this > is many times more trouble than ANY perceived security is worth. I'm > already bulletproofed from the outside, and nothing selinux can do will > make it bulletproof against me. All its doing is frustrating me to the > point of screwing things royally up just trying to figure out how to do > what I'e been doing for years when it decides to kill amanda, apparently > for no good reason that I can grok. > > Time for some sleep I guess, thanks. ---- Security is never about single point and a firewall only protects against attempts from the untrusted Internet to enter your LAN. For the record, the only bulletproof method of protection from the Internet is not a firewall...it's not to connect at all. Supposedly good firewall schemes are frequently defeated by people with vast knowledge. Most importantly, there are a vast array of threats to your systems that won't/can't be blocked by a firewall such as: scripts that run on web sites, e-mail, graphics, office-type programs, compiling programs from source, installation of binary programs, etc. Unless you fully audit each and every script and understand what it is doing, you can never be certain which is virtually impossible to do - this is why you don't compile programs, rpms as root, this is why you don't run GUI as root because everything you do as root has root privileges. This is why all programs from trusted sources have checksums and GPG keys associated with them so to ensure that they haven't been tampered with. Security is about layers of which not running as root when not absolutely necessary and SELinux are but 2 of those layers. There aren't many left in your world. Craig