[CentOS] SELinux - way of the future or good idea but !!!
vvmarko at gmail.com
Sun Nov 28 12:06:15 UTC 2010
On Sunday 28 November 2010 03:45:54 Nico Kadel-Garcia wrote:
> On Sat, Nov 27, 2010 at 9:21 PM, John R. Dennison <jrd at gerdesas.com> wrote:
> > You run it in Permissive mode, you deal with the exceptions as
> > they arise while the software is running in its normal
> > environment and while its running normally using any of the
> > documented methods. You thoroughly test the application in such
> > a manner and once you have ironed out any and all issues by
> > putting together a custom policy, setting the right SElinux
> > booleans, etc, you then enable Enforcing mode. There is really
> > no reason that SElinux should have a negative impact on your
> > application or server if you use Permissive first.
> You forgot "take on becoming the SELinux integration manager for that
> project with every single update".
Every single update? Update of what?
SELinux policy updates do not modify any local policy configuration and
settings (if you have them set up in a proper way). It works just as John
explained above --- run SELinux in permissive mode in usual working
environment and see if there are any denials. To begin with, if all other apps
on your machine are ok, there shouldn't be any denials. If there are, it is
typically either a bug in the app causing the denial, or insecure configuration
settings for that app. In both cases it has nothing to do with SELinux and
should be addressed elsewhere. SELinux is actually doing you a favor by
pointing out security holes in your system. Still, if you decide that you
still want to use the buggy and insecure app/onfiguration, you can modify local
SELinux settings to allow access. You do it once, and it works. Updating
SELinux policy will not change that.
If you are talking about updating a custom app that keeps conflicting with
SELinux, then it's the problem with the app itself --- collect all denials and
report a bug upstream against that app. No program that works correctly should
ever produce any denials. If upstream don't care, you chose a bad app for your
system. Especially if it is a production system.
In either case, it doesn't require any serious maintenance time from the
sysadmin. Just one afternoon to learn how to use SELinux properly.
More information about the CentOS