[CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

Wed May 26 15:44:09 UTC 2010
Benjamin Franz <jfranz at freerun.com>

On 05/26/2010 07:40 AM, Craig White wrote:
>
> you can't make a useful argument out of ignorance. If you don't want to
> use SELinux, then disable it. Otherwise, learn to understand how it
> operates and deal with it.
>
> one certain way to cause issues with SELinux is to copy files created in
> other directories or other computers onto another computer because it
> will not have the proper security contexts so the way to fix that is to
> make sure your policy files are all up to date and then relabel your
> file system which should set the contexts to their proper labels.
>    

I can make a useful argument from experience. Over the last few years, 
as Redhat has progressively deployed SELinux, I have had *several* 
incidents (the most recent only a few weeks ago) where updates to 
SELinux broke existing, stable, systems. Each time sucking up hours of 
my time to diagnose and fix. And (as in this incident) there are not 
always useful error messages to track it with.

The *theoretical* system security improvement of SELinux is trumped by 
the *practical* observation that I have had existing systems broken by 
SELinux multiple times on the mere handful of systems I have run it on 
in enforcing mode,  but have yet to see a single one of several dozen 
(all internet exposed) up-to-date *non*-SELinux systems hacked.

It is a 'safety' feature that is in practice more dangerous to system 
stability than what it is trying to fix. It is like having air bags in 
your car that go off at random times while you are driving: It is NOT 
acceptable behavior.

-- 
Benjamin Franz