[CentOS] selinux

Thu Apr 22 20:11:19 UTC 2010
m.roth at 5-cent.us <m.roth at 5-cent.us>

> m.roth at 5-cent.us wrote:
>>>> Does anyone know? Are we, with CentOS, that far behind with something
>>>> like this, which isn't even a port, but a policy?
>>> I dunno about CentOS but on Fedora I just look at the message in the
>>> log file (/var/log/messages IIRC) and it gives me a command to execute
>>> to view more details.   When I do that, I get a window that comes up
<snip>
>> Yeah, I can use audit2allow. The trouble is that I don't know the
>> ramifications of just adding that policy on an ad hoc basis - it might
>> open it up for a real attack.
>
> Of course you should be cautious of opening up things you do not fully
> understand, but you're running in permissive mode meaning that you are
> already wide open from an SELinux perspective so adding a custom policy
> and putting SELinux back into enforcing mode isn't going to put you any
> more at risk other than maybe giving you some false sense of security.

Yes, but I have some systems that *do* have it enforcing, and some that
are permissive are also production (as in, websites visible to the world),
and I want to test my changes before I put them on the enforcing
servers....

          mark