On Sat, Nov 27, 2010 at 5:52 PM, Marko Vojinovic vvmarko@gmail.com wrote:
On Saturday 27 November 2010 18:57:50 Benjamin Franz wrote:
On 11/26/2010 05:17 PM, Patrick Lists wrote:
What's with people recommending to turn off SELinux?! That's just bad advice and like recommending people keep their doors unlocked at all times. Really, stop doing that. SELinux is there for a reason.
SELinux is like a automatic collision avoidance system for an airplane that unpredictably crashes the plane during normal flight. While the basic idea is good, until it stops crashing planes without warning it isn't going to be accepted.
I don't understand this analogy. I have never seen SELinux crashing the system or doing some damage otherwise. What experience do you have with SELinux crashing anything on a working system?
The "working system" in that analogy is software, not necessarily nor even likely to be the kernel itself. But yes, it can trash a production critical web or software application that didn't follow the sensible, but often poorly understood, policies of SELinux. This is particularly common with 3rd party web applications, the sort of thing we grab from Sourceforge and try ourselves. (Lilac, the Nagios configuration tool, particularly comes to mind.)
It is not enough that it mitigates certain classes of attacks when it actively breaks running systems *more often* than it mitigates attacks. And that is my personal experience. Every year or two I try turning it on on a few systems. And then, after it suddenly decides to break a previously stable system - it gets turned back off.
If your system was running for some time with SELinux disabled (not in permissive mode, but disabled), turning it on without doing a proper relabeling of the filesystem is known to be a very Bad Idea. Typically all problems that occur in this situation can be eliminated by relabeling the whole filesystem once. Maybe that was the step you missed?
I'd have to dig back to rediscover the Lilac issues, but I remember running out of time to sort them all out and having to leave SELinux off of that server.