On 07/28/2009 04:22:09 PM, Sebastien Raveau wrote:

> If I understand you correctly, that is, if you are suggesting that
> OpenVPN should automatically apply a SELinux context if setcon() is
> available... I'll have to disagree with you. Not that I reject the
> idea of enforcing security measures by default, but because when you
> google for "selinux howto", half of the first-page results are on how
> to *disable* SELinux. Apparently not everybody likes it, and they 
> have
> a right to, so I believe we should not force it upon them :-)

SELinux is a great idea, in theory.  In practice I find the
cost/benefit such that I wind up turning it off.  I'd love
to have it available and working in "stock" situations,
and have the (easy to do) option of turning it off if
desired.   If nothing else it gets in the way of development/
deployment.  After something's working then it's possible to go back
and figure out which permissions need enabling.

Because of the complication it would also be highly
desirable, except for a possible "off/monitor mode/on"
switch, if it would integrate with the rest of SELinux
so there's not yet more configuration.  I assume that
this is the natural approach to take, but figured I'd
mention it anyway.


Karl <k...@meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein


Reply via email to