[CentOS] SELinux - way of the future or good idea but !!!
sclark at netwolves.com
Mon Nov 29 07:11:07 EST 2010
On 11/27/2010 09:21 PM, John R. Dennison wrote:
> On Sat, Nov 27, 2010 at 08:23:34PM -0500, Nico Kadel-Garcia wrote:
>> The "working system" in that analogy is software, not necessarily nor
>> even likely to be the kernel itself. But yes, it can trash a
>> production critical web or software application that didn't follow the
>> sensible, but often poorly understood, policies of SELinux. This is
>> particularly common with 3rd party web applications, the sort of thing
>> we grab from Sourceforge and try ourselves. (Lilac, the Nagios
>> configuration tool, particularly comes to mind.)
>> I'd have to dig back to rediscover the Lilac issues, but I remember
>> running out of time to sort them all out and having to leave SELinux
>> off of that server.
> heh, fail.
> You run it in Permissive mode, you deal with the exceptions as
> they arise while the software is running in its normal
> environment and while its running normally using any of the
> documented methods. You thoroughly test the application in such
> a manner and once you have ironed out any and all issues by
> putting together a custom policy, setting the right SElinux
> booleans, etc, you then enable Enforcing mode. There is really
> no reason that SElinux should have a negative impact on your
> application or server if you use Permissive first.
> CentOS mailing list
> CentOS at centos.org
I don't know how it is now - but I tried running in permissive mode a
few years ago. It would complain about some
file, I would fix the file and the next thing I knew it was complaining
about the same file again, and the file was part
of the redhat installation. After that I gave up and just turned it off.
Sr. Software Engineer III
Email: steve.clark at netwolves.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the CentOS