[CentOS] SELinux - way of the future or good idea but !!!

Marko Vojinovic vvmarko at gmail.com
Mon Nov 29 08:14:39 EST 2010


On Monday 29 November 2010 00:55:47 Nico Kadel-Garcia wrote:
> On Sun, Nov 28, 2010 at 10:39 AM, Bob McConnell <rmcconne at lightlink.com> 
wrote:
> >> fault of SELinux, and advocating that SELinux is bad because some
> >> manager doesn't know about security is completely wrong IMHO. And
> >> supporting advice given to people on this list to turn off SELinux
> >> because some devs in some company don't do their job right is also
> >> completely wrong.
> 
> No, I quesiton its utility because the engineering effort is
> burdensome, it wastes testing cycles best spent elsewhere, and the
> error messages are.... less than helpful.

Just a small suggestion regarding the error messages --- take a look at 
setroubleshoot, it was designed to help out with making AVC denials more 
human-friendly. And it typically works quite well.

When triggered by a denial, setroubleshoot alerts the user, explains what went 
wrong, why it went wrong and what options you have for fixing it. All that in 
nice plain english :-). Typically it also tells you the exact set of commands 
you need to execute if you wish to modify the policy to allow that particular 
access. If you are aware of the risks and know what you are doing, a couple of 
copy&paste commands in the root prompt removes the SELinux restrictions for 
good. It also works in permissive mode, if you wish to tweak your local policy 
without impacting a runtime environment.

Of course, it is not always a good idea to modify the policy (it would be 
better to remove the problem at app/config level), but sometimes one doesn't 
have a choice, as in your case. :-)

HTH, :-)
Marko



More information about the CentOS mailing list