[CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

Thu May 27 03:23:57 UTC 2010
Gordon Messmer <yinyang at eburg.com>

On 05/26/2010 08:44 AM, Benjamin Franz wrote:
>
> I can make a useful argument from experience. Over the last few years,
> as Redhat has progressively deployed SELinux, I have had *several*
> incidents (the most recent only a few weeks ago) where updates to
> SELinux broke existing, stable, systems. Each time sucking up hours of
> my time to diagnose and fix. And (as in this incident) there are not
> always useful error messages to track it with.

Except that in this incident, there WERE useful error messages.  The OP 
simply didn't know that he needed to look in /var/log/audit/audit.log.

> The *theoretical* system security improvement of SELinux is trumped by
> the *practical* observation that I have had existing systems broken by
> SELinux multiple times on the mere handful of systems I have run it on
> in enforcing mode,  but have yet to see a single one of several dozen
> (all internet exposed) up-to-date *non*-SELinux systems hacked.

You are comparing two unlike things.  You can't very well judge the 
benefits of SELinux based on a system which hasn't needed its protection.

> It is a 'safety' feature that is in practice more dangerous to system
> stability than what it is trying to fix.

I advise administrators to test all updates on non-production systems. 
SELinux updates are no exception.