[CentOS] SELinux - way of the future or good idea but !!!
Marko Vojinovic
vvmarko at gmail.com
Sat Nov 27 22:52:21 UTC 2010
On Saturday 27 November 2010 18:57:50 Benjamin Franz wrote:
> On 11/26/2010 05:17 PM, Patrick Lists wrote:
> > What's with people recommending to turn off SELinux?! That's just bad
> > advice and like recommending people keep their doors unlocked at all
> > times. Really, stop doing that. SELinux is there for a reason.
>
> SELinux is like a automatic collision avoidance system for an airplane
> that unpredictably crashes the plane during normal flight. While the
> basic idea is good, until it stops crashing planes without warning it
> isn't going to be accepted.
I don't understand this analogy. I have never seen SELinux crashing the system
or doing some damage otherwise. What experience do you have with SELinux
crashing anything on a working system?
> It is not enough that it mitigates certain classes of attacks when it
> actively breaks running systems *more often* than it mitigates attacks.
> And that is my personal experience. Every year or two I try turning it
> on on a few systems. And then, after it suddenly decides to break a
> previously stable system - it gets turned back off.
If your system was running for some time with SELinux disabled (not in
permissive mode, but disabled), turning it on without doing a proper
relabeling of the filesystem is known to be a very Bad Idea. Typically all
problems that occur in this situation can be eliminated by relabeling the
whole filesystem once. Maybe that was the step you missed?
HTH, :-)
Marko
More information about the CentOS
mailing list