[CentOS] SELinux - way of the future or good idea but !!!

Thu Dec 2 23:34:28 UTC 2010
Jerry Franz <jfranz at freerun.com>

On 11/28/2010 09:31 AM, Benjamin Franz wrote:
> [...]
> And then, one day, it won't work. Worse - it doesn't always *log* what
> it is doing in a way that you can figure out. Occasionally not at all.
> So you spend a few hours poking at the system until you try the magic of
> turning off SELinux. And then it starts working again.
> My experience is that *unless you have a system configured exactly like
> the defaults*, SELinux is prone to suddenly deciding after an update
> that it doesn't like your configuration anymore. Once because an update
> to SELinux changed the labeling on an existing directory tree - blowing
> away my own applied labeling with no warning. And there are even RH
> supplied rpms that *do not work* with SELinux without being SELinux
> being tweaked first.

And in an exact example of this, today I needed to update some WordPress 
(WP) installations. Only, for "some reason" the FTP based autoupdater 
didn't work today.

You guessed it - SELinux had struck again. I have left SELinux active on 
this machine because I don't trust WP not to get hacked. I went out of 
my way to make the system as SELinux friendly as I could when I built it 
because of this. It has had SELinux active right from the start.

But something in the normal yum system updates or other routine system 
operation over the last several months apparently caused the system to 
mis-label part of the directory tree making it so that FTP (which is 
only allowed from the localhost to support WP updating) could no longer 
access some directory trees. No idea why: I'm the only person who has 
logged into the machine since March - and I only log in to run updates. 
It worked on April 26th - but not today.

My fix today? I temporarily disabled SELinux, ran the WP updates, 
touched /.autorelabel and rebooted the machine. And "mysteriously" the 
FTP problem is gone now. This isn't the first time this has happened on 
this machine.

If I wasn't so specifically paranoid about WP, SELinux would be disabled 
on this machine as well.

Benjamin Franz