On Saturday 27 November 2010 18:57:50 Benjamin Franz wrote:
On 11/26/2010 05:17 PM, Patrick Lists wrote:
What's with people recommending to turn off SELinux?! That's just bad advice and like recommending people keep their doors unlocked at all times. Really, stop doing that. SELinux is there for a reason.
SELinux is like a automatic collision avoidance system for an airplane that unpredictably crashes the plane during normal flight. While the basic idea is good, until it stops crashing planes without warning it isn't going to be accepted.
I don't understand this analogy. I have never seen SELinux crashing the system or doing some damage otherwise. What experience do you have with SELinux crashing anything on a working system?
It is not enough that it mitigates certain classes of attacks when it actively breaks running systems *more often* than it mitigates attacks. And that is my personal experience. Every year or two I try turning it on on a few systems. And then, after it suddenly decides to break a previously stable system - it gets turned back off.
If your system was running for some time with SELinux disabled (not in permissive mode, but disabled), turning it on without doing a proper relabeling of the filesystem is known to be a very Bad Idea. Typically all problems that occur in this situation can be eliminated by relabeling the whole filesystem once. Maybe that was the step you missed?
HTH, :-) Marko