Benjamin wrote:
On 05/26/2010 07:40 AM, Craig White wrote:
you can't make a useful argument out of ignorance. If you don't want to use SELinux, then disable it. Otherwise, learn to understand how it operates and deal with it.
one certain way to cause issues with SELinux is to copy files created in other directories or other computers onto another computer because it will not have the proper security contexts so the way to fix that is to make sure your policy files are all up to date and then relabel your file system which should set the contexts to their proper labels.
I can make a useful argument from experience. Over the last few years, as Redhat has progressively deployed SELinux, I have had *several* incidents (the most recent only a few weeks ago) where updates to SELinux broke existing, stable, systems. Each time sucking up hours of my time to diagnose and fix. And (as in this incident) there are not always useful error messages to track it with.
<snip> And the selinux folks (I'm on the fedora selinux mailing list) don't like to accept that *they* have bugs. For example, we're stuck with CA's siteminder (*gag*). Selinux complains about it writing to its own logfile, /var/log/httpd/smwagent.log. The AVI, when I run sealert, tells me to fix it by setting httpd_unified to on. I've done that, numerous times, which tells me that *they* have a logical flaw in their error handling, and it's *not* telling me the correct cause/solution.
They didn't suggest I file a bug report when I mentioned it on the list. Maybe I'll do it again....
mark