[CentOS] Centos 5.x SElinux issues

Thu Mar 5 20:06:15 UTC 2009
Jim Wildman <jim at rossberry.com>

On Fri, 6 Mar 2009, Noob Centos Admin wrote:

> Just my noob opinion, that if there's no practical and definitive
> benefit from enabling SELinux, for the time being until it is matured,
> the best thing to do is just set it to off. Otherwise, it just
> generally causes trouble and runs up tons of log as it is.
>
> I'd love to be enlightened on this though :)

There are VERY definitive benefits to running SELinux.  The best
description I've found is that it is like an iron cage on the inside of
a window.  Even if something gets past the glass, its still inside a
window.  I've had SELinux stop exploits against php scripts on
production servers.  It is also a great training tool for teaching you
what "common practices" you've picked up are a bad idea (ie, cp'ing
stuff around as root).

That said, it does generate some very obtuse log messages (the
deciphering of which will teach you even more).

----------------------------------------------------------------------
Jim Wildman, CISSP, RHCE       jim at rossberry.com http://www.rossberry.com
"Society in every state is a blessing, but Government, even in its best
state, is a necessary evil; in its worst state, an intolerable one."
Thomas Paine