Personally, I think SELinux can have a steep learning curve and it requires a careful implementation, including
extensive testing of your applications with your proposed policies. If this process is followed, then I think the impact of potential SElinux usability issues is lessened.
As to the broader question of usability versus security? I always say security people are only in business if the business they support can do business. If security makes an application unusable and the business is then hampered in their ability to do business, then this can be as bad as if the application is unavailable due to an attack or compromise. Usability versus security should always be a risk-based balance/trade-off.
Implement the best possible set of security controls, for the optimal cost, to mitigate the most risk. If, for reasons of usability (or cost), you are unable to implement a control then articulate the risk, preferably in business terms like dollars, to of not implementing that control. If they accept that risk (and only they can), then document that acceptance and report it to the appropriate parts of your organization, like risk and audit groups/committees. Ultimately, your salary gets paid by the business making money. If you:
- Appropriately articulate any risk involved in doing business
- Present appropriate and cost-effective controls to mitigate those risks
- Document any risks that have not been mitigated, either by choice or some fundamental inability to mitigate
- Regularly re-evaluate risks and controls.
then you have done your best to secure your organisation in the most appropriate way.
Dig deeper on Linux system security best practices
Related Q&A from James Turnbull
A user wants to implement OSSEC on a Windows server because he has no server side Linux operating system.continue reading
Solaris 10 Trusted Extensions and SELinux are best suited to different system requirements and administrator skill sets. Our security expert explains...continue reading
Configuring spam filters Spamassassin and dspam together in the email server Postfix is easy with the resources listed by our security expert.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.