On Fri, 6 Mar 2009, Noob Centos Admin wrote:
Just my noob opinion, that if there's no practical and definitive benefit from enabling SELinux, for the time being until it is matured, the best thing to do is just set it to off. Otherwise, it just generally causes trouble and runs up tons of log as it is.
I'd love to be enlightened on this though :)
There are VERY definitive benefits to running SELinux. The best description I've found is that it is like an iron cage on the inside of a window. Even if something gets past the glass, its still inside a window. I've had SELinux stop exploits against php scripts on production servers. It is also a great training tool for teaching you what "common practices" you've picked up are a bad idea (ie, cp'ing stuff around as root).
That said, it does generate some very obtuse log messages (the deciphering of which will teach you even more).
---------------------------------------------------------------------- Jim Wildman, CISSP, RHCE jim@rossberry.com http://www.rossberry.com "Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one." Thomas Paine