[CentOS] SELinux - way of the future or good idea but !!!

Christopher Chan christopher.chan at bradbury.edu.hk
Wed Dec 8 14:13:49 UTC 2010


On Wednesday, December 08, 2010 09:31 PM, Les Mikesell wrote:
> On 12/8/10 4:22 AM, David Sommerseth wrote:
>> On 30/11/10 03:52, cpolish at surewest.net wrote:
>>> Christopher Chan wrote:
>>>> Les Mikesell wrote:
>> [...snip...]
>>>> As was already mentioned in another post, run in permissive mode, for a
>>>> few days if you must, and go through all the things the software does
>>>> and voila! setroubleshoot and/or logs tell you what needs doing.
>>>
>>> Very optimistic, that. In my shop, some things run annually.
>>> A comprehensive system test = production, for a year. Just
>>> this morning a 1099 (annual tax-form) script failed in test.
>>
>> So you would rather disable SELinux completely - 365 days a year, rather
>> than to switch to permissive mode when running this script once a year?
>>
>> I'm sorry, but I'm not able follow that logic.
>
> In our case if something fails once a year we lose customers and money.  I'd
> expect that to be fairly common.
>

Again, that particular process is unlikely to be missed and also show to 
be easily mitigated by doing a realtime switch from enforcing to 
permissive. Such annual processes are fairly common and usually run 
manually. You have yet to make a compelling case for completely 
disabling SELinux just for this sort of thing.



More information about the CentOS mailing list