On Sunday 28 November 2010 03:45:54 Nico Kadel-Garcia wrote:
On Sat, Nov 27, 2010 at 9:21 PM, John R. Dennison jrd@gerdesas.com wrote:
You run it in Permissive mode, you deal with the exceptions as they arise while the software is running in its normal environment and while its running normally using any of the documented methods. You thoroughly test the application in such a manner and once you have ironed out any and all issues by putting together a custom policy, setting the right SElinux booleans, etc, you then enable Enforcing mode. There is really no reason that SElinux should have a negative impact on your application or server if you use Permissive first.
You forgot "take on becoming the SELinux integration manager for that project with every single update".
Every single update? Update of what?
SELinux policy updates do not modify any local policy configuration and settings (if you have them set up in a proper way). It works just as John explained above --- run SELinux in permissive mode in usual working environment and see if there are any denials. To begin with, if all other apps on your machine are ok, there shouldn't be any denials. If there are, it is typically either a bug in the app causing the denial, or insecure configuration settings for that app. In both cases it has nothing to do with SELinux and should be addressed elsewhere. SELinux is actually doing you a favor by pointing out security holes in your system. Still, if you decide that you still want to use the buggy and insecure app/onfiguration, you can modify local SELinux settings to allow access. You do it once, and it works. Updating SELinux policy will not change that.
If you are talking about updating a custom app that keeps conflicting with SELinux, then it's the problem with the app itself --- collect all denials and report a bug upstream against that app. No program that works correctly should ever produce any denials. If upstream don't care, you chose a bad app for your system. Especially if it is a production system.
In either case, it doesn't require any serious maintenance time from the sysadmin. Just one afternoon to learn how to use SELinux properly.
HTH, :-) Marko