Your loss. I agree that the way it's sold as "EASY" (caps appropriate) is a bit ridiculous, but SELinux does add a stong layer of protection from vulnerabilities in one service leading to total server pwnage. Ignore the rhetoric and try to work with it - the peace of mind pays off.
What if an app does something during runtime that you had not catered for? This effectively means potential downtime for the app while your admins are trying to figure out why the app is failing.
I agree SELinux adds something to the table, but the article shows two examples (httpd_sys_content_t and httpd_can_network_connect). Let's assume there is a third httpd_can_foo_bar that is required down the line. And then a http_can_bar_quux a few hours after that. All in all this can be a bit risky. Perhaps if there was an easier way to administer SELinux?
saywatnow|9 years ago
sgt|9 years ago
I agree SELinux adds something to the table, but the article shows two examples (httpd_sys_content_t and httpd_can_network_connect). Let's assume there is a third httpd_can_foo_bar that is required down the line. And then a http_can_bar_quux a few hours after that. All in all this can be a bit risky. Perhaps if there was an easier way to administer SELinux?
jlgaddis|9 years ago