[CentOS] Completeley disabling SELinux?

Craig White craigwhite at azapple.com
Sat Jan 24 06:13:02 UTC 2009


On Fri, 2009-01-23 at 23:39 -0600, Robert Nichols wrote:
> nate wrote:
> > 
> > I can certainly see value in SELinux in some environments, I have
> > yet to operate one where it would provide value to me.
> 
> I find that SELinux runs in enforcing mode quite unobtrusively on my
> laptop, where I'm running a pretty much out-of-the-box Fedora 10.
> On my CentOS 5 desktop, though, forget it!  I'm doing too many
> things like a dhclient-exit-hooks script that adjusts named.conf and
> tells the daemon to reload, a script that saves some accounting info
> when iptables is stopped, various cron jobs that invoke constrained
> executables to do horrible things like write something to a file,
> ..., that sort of thing.  Every time I take a stab at enabling
> SELinux in that environment and get close to figuring out enough
> local policy adjustments and custom labeling to make it work, a
> new release comes along and none of what I've done works any more.
> On that system, all removable parts of SELinux have been removed,
> and all security attributes have been purged from the filesystems.
----
yes and yes

it seems as though RHEL 5.3 has added all of the tools now in Fedora
9/10 and that means a lot of changes are coming down the pipe for
SELinux on CentOS 5.

But the tools are clearly better tools - i.e. SETroubleShooter

C'est la vie - the price of adding another layer of security I suppose.

Craig



More information about the CentOS mailing list