1 |
> ...until it doesn't, and then what? |
2 |
|
3 |
The comment was slightly off-topic and mainly pointed towards his |
4 |
decision to disable SELinux on a distribution which had enabled it by |
5 |
default. On Gentoo, if you enable SELinux, see all of the AVCs and |
6 |
decide to nope right out of there, you are making an informed decision |
7 |
(by virtue of needing to learn a great deal about SELinux to set it up |
8 |
in the first place). |
9 |
|
10 |
> I could have half-assed it with audit2allow, but security-wise that's a |
11 |
> cop-out. |
12 |
|
13 |
I'm not sure it's a complete cop-out as long as you read the |
14 |
suggestions audit2allow is making. The policy you end up with will not |
15 |
be ideal and will certainly be full of holes, but at least you are |
16 |
somewhat aware of the risk a given service is to your system. |
17 |
|
18 |
> I'd like to find a middle ground, and it might be Targeted mode (I was |
19 |
> attempting Strict). Or, it might be a different system like AppArmor. |
20 |
|
21 |
Yeah, my ending suggestion was to run in targeted mode (if you wanted |
22 |
to bother with SELinux at all) but that mainly serves as a workaround |
23 |
for Desktop-oriented stuff. Containers or virtualization are also |
24 |
options. |