Hacker News new | ask | show | jobs
by ghshephard 3984 days ago
The users/sysadmins I've known take the following process:

o Run Application

o Get weird error.

o Google the error, see someone mentioning "This is because of SElinux"

o Google how to "Disable SELinux"

I'm not saying that's what they should be doing, just saying it's what I've observed. What's nice about tame is - there is nothing to enable/disable, it's just part of software.
1 comments
mhurron 3984 days ago
That's pretty much the definition of lazy. Yes, its one more thing that needs to be learned but that is part of the job.

> What's nice about tame is - there is nothing to enable/disable, it's just part of software.

And what's nice about SELinux (if you learn it) is it applies to the system and everything running on it whether or not it's been written for it. You can even put it in a logging only, and use those logs to generate the needed policies. SELinux will tell you what is going on.

What you point out as nice about tame() means that nothing will use it except what is in the core of OpenBSD.

link
ghshephard 3984 days ago
Completely agree with you that SELinux is a better general solution, applies to a broader community of software, and that users, and certainly sysadmins, should take the time to understand how it works, generate policies for the software they use, and take advantages of the security that it provides.
link