[CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
Gordon Messmer
yinyang at eburg.com
Thu May 27 03:23:57 UTC 2010
On 05/26/2010 08:44 AM, Benjamin Franz wrote:
>
> I can make a useful argument from experience. Over the last few years,
> as Redhat has progressively deployed SELinux, I have had *several*
> incidents (the most recent only a few weeks ago) where updates to
> SELinux broke existing, stable, systems. Each time sucking up hours of
> my time to diagnose and fix. And (as in this incident) there are not
> always useful error messages to track it with.
Except that in this incident, there WERE useful error messages. The OP
simply didn't know that he needed to look in /var/log/audit/audit.log.
> The *theoretical* system security improvement of SELinux is trumped by
> the *practical* observation that I have had existing systems broken by
> SELinux multiple times on the mere handful of systems I have run it on
> in enforcing mode, but have yet to see a single one of several dozen
> (all internet exposed) up-to-date *non*-SELinux systems hacked.
You are comparing two unlike things. You can't very well judge the
benefits of SELinux based on a system which hasn't needed its protection.
> It is a 'safety' feature that is in practice more dangerous to system
> stability than what it is trying to fix.
I advise administrators to test all updates on non-production systems.
SELinux updates are no exception.
More information about the CentOS
mailing list