Russ herrold wrote:
Quick question: do I really "need" to install the setools/setroubleshoot packages or can I live without them? They want to install 80 packages (gnome stuff, gstreamer, gtk, tcl/tk...) and I would like to avoid installing all sort of graphical tools/libs on my lean servers. Can I just install setools-console by example?
What does experiemntation with yum in a testing mode indicate with the packageset on your box - dependency trees have an effectively infinite number of permutations
My question was more "do I really need this package to work with selinux?" I installed setools-console and so far it seems enough... So, can I skip setroubleshoot?
If you know a must-have "selinux for dummies" like howto, apart from Redhat/Fedora doc or CentOS wiki
What is wrong with the article at: http://wiki.centos.org/HowTos/SELinux
Nothing wrong; I already read it, and will read the redhat doc... Just looking for all the doc I can find on the subject. And maybe also for the hidden secret magic button that will auto-write the hundreds custom policies we will need... Creating a custom policy for an apache to use a non standard rootdir or port seems indeed easy with audit2allow... But several of our servers are more or less 10% standard (rpm based) and 90% custom, with dozens of apps/scripts listening on dozens non standard ports, sockets, accessing many files here and there... So the task is a bit daunting.
Thx, JD
PS: Any one found/made a Zimbra policy module? ^_^
On Tue, 6 Sep 2011, John Doe wrote:
Nothing wrong; I already read it, and will read the redhat doc... Just looking for all the doc I can find on the subject. And maybe also for the hidden secret magic button that will auto-write the hundreds custom policies we will need... Creating a custom policy for an apache to use a non standard rootdir or port seems indeed easy with audit2allow... But several of our servers are more or less 10% standard (rpm based) and 90% custom, with dozens of apps/scripts listening on dozens non standard ports, sockets, accessing many files here and there... So the task is a bit daunting.
This illustrates a point I was making to Russ offlist...the only way I see to implement selinux in an 'enterprise' environment is to do it on a major version revision. And you will need buy in up to the 'C' level to beat back the murderous hordes of programmers and admins whose stuff will 'break'. Or you sign up to an endless treadmill of piecemeal selinux admin.
(IMO selinux is great...)
---------------------------------------------------------------------- Jim Wildman, CISSP, RHCE jim@rossberry.com http://www.rossberry.net "Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one." Thomas Paine
-
Jim Wildman -
John Doe