[CentOS] SELinux - way of the future or good idea but !!!
nkadel at gmail.com
Sat Nov 27 22:45:54 EST 2010
On Sat, Nov 27, 2010 at 9:21 PM, John R. Dennison <jrd at gerdesas.com> wrote:
> On Sat, Nov 27, 2010 at 08:23:34PM -0500, Nico Kadel-Garcia wrote:
>> The "working system" in that analogy is software, not necessarily nor
>> even likely to be the kernel itself. But yes, it can trash a
>> production critical web or software application that didn't follow the
>> sensible, but often poorly understood, policies of SELinux. This is
>> particularly common with 3rd party web applications, the sort of thing
>> we grab from Sourceforge and try ourselves. (Lilac, the Nagios
>> configuration tool, particularly comes to mind.)
>> I'd have to dig back to rediscover the Lilac issues, but I remember
>> running out of time to sort them all out and having to leave SELinux
>> off of that server.
> heh, fail.
> You run it in Permissive mode, you deal with the exceptions as
> they arise while the software is running in its normal
> environment and while its running normally using any of the
> documented methods. You thoroughly test the application in such
> a manner and once you have ironed out any and all issues by
> putting together a custom policy, setting the right SElinux
> booleans, etc, you then enable Enforcing mode. There is really
> no reason that SElinux should have a negative impact on your
> application or server if you use Permissive first.
You forgot "take on becoming the SELinux integration manager for that
project with every single update". I've done that several times now
(and had to step back when the software had major revisions and I no
longer had project time for it). It was a complete waste of my
engineering time and testing cycles, because the upstream authors
simply had no interest or involvement in keeping things consistently
laid out for SELinux integration.
My time was better spent on things like getting the software into
64-bit compatibility and re-arranging it to get it RPM bundled. (I do
a lot of that!!!)
More information about the CentOS