On 9/21/07, Mike McCarty <Mike.McCarty@xxxxxxxxxxxxx> wrote: > Arthur Pemberton wrote: > > > > I either run it (in targeted mode) or I don't - I do on servers, don't > > on desktops/laptops > > Then we are agreed on this point, at least: If SELinux has benefit, > then it is still an installation dependent issue whether the > cost outweighs the benefit, or vice versa. I have a desktop which > has exactly one LAN connected machine, my firewall. The firewall > on the WAN side is connected exactly to one machine, an ADSL modem. > > It does not make sense to install and run software which one does > not ever intend to use. Simply having it on the machine but disabled > makes the machine potentially less secure, but gives no benefit. > Even "disabled", it is present, and code is actively being executed, > though I'm sure much less of it gets executed than otherwise. > > Mike > -- > p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} > Oppose globalization and One World Governments like the UN. > This message made from 100% recycled bits. > You have found the bank of Larn. > I can explain it for you, but I can't understand it for you. > I speak only for myself, and I am unanimous in that! I don't think it is even possible to have SELinux work as separate type install. If so, push for that. The selinux tools are useland, but I'm pretty sure (subject to correction) that SELinux is part of the kernel itself. Maybe you could ask for a non selinux kernel to be made available for Fedora. However, just to speak to one of your past points, if you're not worried about the attack vectors that SELinux prevents, I don't think you should be worried with the (possible) attack vectors that the disabled SELinux code introduces. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )