[ Originally Posted: 04 Apr 2013 13:45 as a comment at Ars Technica ]
BillCole wrote:I would suggest that it’s not a reason to switch off SELinux, but instead a reason to find new humans to be responsible for that server.The only reason to switch off SELinux on a web server is a lack of human capacity to define the necessary policies.
You’ve caught me! I am in fact a subversive sysadmin agitator roaming the net planting the logical seeds to counterpunch the trend of replacing highly skilled (and highly compensated) sysadmins with low-skill (i.e. low-cost) button-pushers. That trend is facilitated by increasingly sophisticated system management tools that guys like me have built to free up our time to hang out all day on /. and Ars, foolishly leaking their existence to Management, which responds to phrases like “it’s all automatic” and “any idiot can do it” with jolly rejoinders like “reduced human resource costs” and “human change management.” In my defense, I ‘m only spreading the gospel of hiring more and better sysadmins because I’m only about half done with making a living as one and would rather not abandon the profession to stay employed.
But aside from that tangent: Yes, it is increasingly important for the people in direct operational control of exposed servers to have the talents, skills, and time necessary to understand and evaluate the “work” done by the increasingly powerful “idiot-proof” tools used to manage them. Any idiot can instantiate 100 new LAMP-stack VPSs with 10 seconds of pointy-clicky and a few minutes of waiting for them to all deploy and boot, but keeping such a herd of systems safe and useful will probably always demand the ongoing support of multiple professional system administrators. Humans are devising the new modes of attack and subterfuge after a compromise, so the proliferation of effectively discrete systems demands a proliferation of similarly-skilled humans working on defense and detection.