[CentOS] SELinux - way of the future or good idea but !!!
vvmarko at gmail.com
Sat Nov 27 17:52:21 EST 2010
On Saturday 27 November 2010 18:57:50 Benjamin Franz wrote:
> On 11/26/2010 05:17 PM, Patrick Lists wrote:
> > What's with people recommending to turn off SELinux?! That's just bad
> > advice and like recommending people keep their doors unlocked at all
> > times. Really, stop doing that. SELinux is there for a reason.
> SELinux is like a automatic collision avoidance system for an airplane
> that unpredictably crashes the plane during normal flight. While the
> basic idea is good, until it stops crashing planes without warning it
> isn't going to be accepted.
I don't understand this analogy. I have never seen SELinux crashing the system
or doing some damage otherwise. What experience do you have with SELinux
crashing anything on a working system?
> It is not enough that it mitigates certain classes of attacks when it
> actively breaks running systems *more often* than it mitigates attacks.
> And that is my personal experience. Every year or two I try turning it
> on on a few systems. And then, after it suddenly decides to break a
> previously stable system - it gets turned back off.
If your system was running for some time with SELinux disabled (not in
permissive mode, but disabled), turning it on without doing a proper
relabeling of the filesystem is known to be a very Bad Idea. Typically all
problems that occur in this situation can be eliminated by relabeling the
whole filesystem once. Maybe that was the step you missed?
More information about the CentOS