On 07/28/2009 04:22:09 PM, Sebastien Raveau wrote:
> If I understand you correctly, that is, if you are suggesting that > OpenVPN should automatically apply a SELinux context if setcon() is > available... I'll have to disagree with you. Not that I reject the > idea of enforcing security measures by default, but because when you > google for "selinux howto", half of the first-page results are on how > to *disable* SELinux. Apparently not everybody likes it, and they > have > a right to, so I believe we should not force it upon them :-) SELinux is a great idea, in theory. In practice I find the cost/benefit such that I wind up turning it off. I'd love to have it available and working in "stock" situations, and have the (easy to do) option of turning it off if desired. If nothing else it gets in the way of development/ deployment. After something's working then it's possible to go back and figure out which permissions need enabling. Because of the complication it would also be highly desirable, except for a possible "off/monitor mode/on" switch, if it would integrate with the rest of SELinux so there's not yet more configuration. I assume that this is the natural approach to take, but figured I'd mention it anyway. Karl <k...@meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein