Benjamin wrote:
> On 05/26/2010 07:40 AM, Craig White wrote:
>>
>> you can't make a useful argument out of ignorance. If you don't want to
>> use SELinux, then disable it. Otherwise, learn to understand how it
>> operates and deal with it.
>>
>> one certain way to cause issues with SELinux is to copy files created in
>> other directories or other computers onto another computer because it
>> will not have the proper security contexts so the way to fix that is to
>> make sure your policy files are all up to date and then relabel your
>> file system which should set the contexts to their proper labels.
>
> I can make a useful argument from experience. Over the last few years,
> as Redhat has progressively deployed SELinux, I have had *several*
> incidents (the most recent only a few weeks ago) where updates to
> SELinux broke existing, stable, systems. Each time sucking up hours of
> my time to diagnose and fix. And (as in this incident) there are not
> always useful error messages to track it with.
<snip>
And the selinux folks (I'm on the fedora selinux mailing list) don't like
to accept that *they* have bugs. For example, we're stuck with CA's
siteminder (*gag*). Selinux complains about it writing to its own logfile,
/var/log/httpd/smwagent.log. The AVI, when I run sealert, tells me to fix
it by setting httpd_unified to on. I've done that, numerous times, which
tells me that *they* have a logical flaw in their error handling, and it's
*not* telling me the correct cause/solution.
They didn't suggest I file a bug report when I mentioned it on the list.
Maybe I'll do it again....
mark