[CentOS] SELinux - way of the future or good idea but !!!

Marko Vojinovic vvmarko at gmail.com
Sat Nov 27 17:52:21 EST 2010


On Saturday 27 November 2010 18:57:50 Benjamin Franz wrote:
> On 11/26/2010 05:17 PM, Patrick Lists wrote:
> > What's with people recommending to turn off SELinux?! That's just bad
> > advice and like recommending people keep their doors unlocked at all
> > times. Really, stop doing that. SELinux is there for a reason.
> 
> SELinux is like a automatic collision avoidance system for an airplane
> that unpredictably crashes the plane during normal flight. While the
> basic idea is good, until it stops crashing planes without warning it
> isn't going to be accepted.

I don't understand this analogy. I have never seen SELinux crashing the system 
or doing some damage otherwise. What experience do you have with SELinux 
crashing anything on a working system?
 
> It is not enough that it mitigates certain classes of attacks when it
> actively breaks running systems *more often* than it mitigates attacks.
> And that is my personal experience. Every year or two I try turning it
> on on a few systems. And then, after it suddenly decides to break a
> previously stable system - it gets turned back off.

If your system was running for some time with SELinux disabled (not in 
permissive mode, but disabled), turning it on without doing a proper 
relabeling of the filesystem is known to be a very Bad Idea. Typically all 
problems that occur in this situation can be eliminated by relabeling the 
whole filesystem once. Maybe that was the step you missed?

HTH, :-)
Marko



More information about the CentOS mailing list