On 9/21/07, Andrew Kelly <akelly@xxxxxxxxxxxx> wrote: > On Fri, 2007-09-21 at 09:59 -0500, Mike McCarty wrote: > > Tim wrote: > > > On Thu, 2007-09-20 at 15:36 -0500, Mike McCarty wrote: > > > > > >>It's too bad that Red Hat has jumped on the SELinux bandwagon > > >>so wholeheartedly. That is, it is for those of us who don't like > > >>it, but want to use Red Hat products or projects. > > > > > > > > > One of the (almost) unsung benefits of it is to do with created > > > software. > > > > > > If the programmers use a system with SELinux, they're forced into > > > writing their software better. And we end up with software which > > > > They are forced into writing it SELinux aware. That is not > > part of my definition of "better". > > > > [snip] > > > > > On the other hand, without any SELinux, trying to make your system > > > secure, when you're using programs that the software authors had > > > free-range to do any old crap in the first place, is much more > > > difficult. > > > > I don't like to load and run crap. Do you? > > That's one reason I don't have SELinux enabled on the machines > > I administer. Not all of them are FC2, BTW. > > > > Note that SELinux does not attempt to make a machine more > > secure, except in a very general sense. It attempts to mitigate > > damage on a machine WHICH IS ALREADY COMPROMISED. > > > > It does little AFAICT to prevent compromise. > > > > Mike > > > Quick hit and run, here, before I call it a weekend... > > My cousin is an auto mechanic and several years ago he said something > which you've just repeated in different terms. > > We were arguing Air Bag vs Anti-Lock Braking System. He said given the > choice of only one, it would be insanity to take the AB. > I says,"Huh?". > He says, "Isn't it more important to avoid the accident in the first > place?" > > Brilliant. > > Of course the right choice is to have them both, but given the choice of > one, you're on the money IMO, Mike. > > Andy Why would someone have to choose only one? -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )
