[CentOS] aide questions, please

[Michael Simpson]

On 4/10/08, Steve Campbell <campbell at cnpapers.com> wrote:
>
>
> Thanks Mike,
>
> I'm not sure I can do the reboot today as I have had to put the server into
> a temporary production status.
>
> The thing that is sort of bothering me, though, is that so much trouble
> occurs because of selinux when trying to use aide RPMs. Might I not try and
> generate my own rpms without selinux support or just compile from source? Is
> there a way I can disable the selinux stuff when using the Centos rpms? I'm
> still not hearing a definitive answer that selinux is the culprit here and
> modifying filesystems for a test  is a little extreme.
>
> I appreciate the help so far, though, and don't mean to sound ungrateful.
>
>
> steve

Hi Steve

i see what you mean

<http://bugs.centos.org/view.php?id=1973>

This was meant to be sorted by aide 0.13.1.
I suppose that aide is just going that wee bit further with regards to
security by checking for changes in selinux file contexts

If a file (or process / object) has its context changed then it could
signify an attack especially if you are running the box in enforcing
mode.

I had thought that aide had been patched to allow for null contexts if
compiled to look for them.

I just changed from running selinux in disabled mode on my production
systems to running with selinux enabled (initially in permissive mode
to check for problems then moving to enforcing once the wrinkles were
ironed out).

My main reason for doing so is that we are developing a electronic
patient record for the nhs.
I think selinux is fantastic

<http://www.coker.com.au/selinux/play.html>

> still not hearing a definitive answer that selinux is the culprit here and
> modifying filesystems for a test  is a little extreme.

it's more about adding extended attributes to the existing filesystem

mike