[CentOS] SELinux - way of the future or good idea but !!!

Wed Dec 8 10:22:41 UTC 2010
David Sommerseth <dazo at users.sourceforge.net>

On 30/11/10 03:52, cpolish at surewest.net wrote:
> Christopher Chan wrote:
>> Les Mikesell wrote:
[...snip...]
>> As was already mentioned in another post, run in permissive mode, for a 
>> few days if you must, and go through all the things the software does 
>> and voila! setroubleshoot and/or logs tell you what needs doing.
> 
> Very optimistic, that. In my shop, some things run annually.
> A comprehensive system test = production, for a year. Just
> this morning a 1099 (annual tax-form) script failed in test. 

So you would rather disable SELinux completely - 365 days a year, rather
than to switch to permissive mode when running this script once a year?

I'm sorry, but I'm not able follow that logic.

In fact after running successfully in permissive mode once, you should
be able to figure out what your script does, use audit2allow and get a
proper SELinux module for it ready in the matter of minutes or hours
(depending on how invasive the script is).


kind regards,

David Sommerseth