On Friday, June 29, 2007 7:19 PM -0700 Rogelio Bastardo scubacuda@gmail.com wrote:
I was banging my head against the wall trying to figure out why my Nagios install wasn't working on CentOS 4.5 (I'm used to Debian), and so I disabled SELinux and everything magically started working.
Is this a good long term idea? Or is there a better way of doing things?
SELinux is a tool, part of a suite of defenses you deploy as part of "defense in depth" to protect your assets. Only you can decide how valuable your assets are and how much effort you should expend protecting them. (But an usurped box also hurts the rest of us, once it becomes a bot available to spam or otherwise attack other hosts.)
You should have other techniques in play to defend your system, such as iptables, tcp wrappers, LUA, SSL, and strong passwords. SELinux presents another hurdle that attackers must get past.
My policy is not to permanently disable it but to figure out how to use it. I'm currently reading the two premier books on it to understand it. So far I haven't had to disable it to get things working, but I've had to defer deployment of some services or figure out workarounds.