[CentOS] SELinux - way of the future or good idea but !!!
jorge.fabregas at gmail.com
Sun Nov 28 19:06:11 UTC 2010
On Sunday 28 November 2010 13:31:28 Benjamin Franz wrote:
> Worse - it doesn't always log what it is doing in a way that you can figure
> out. Occasionally not at all.
SELinux does have some rate-limiting capabilities built-in to avoid a flood of
identical messages...so the "triggering-event to log ratio" is not 1 to 1. I
understand this may be confusing for troubleshooting purposes but you need to
be aware of this.
> Once because an update to SELinux changed the labeling on an existing
> directory tree - blowing away my own applied labeling with no warning
When you apply custom labels to files many people forget that if there's a
relabel involved (via /.autorelabel or manual filesystem relabel) all your
custom labels are gone UNLESS you update your local policy contexts by doing:
semanage fcontext -a -t new_type_here 'regex_here'
> I've had several instances of SELinux breaking a previously stable
> system after an update to SELinux or its policies. On about the same
> number of machines. The most recent within the last year.
All our CentOS 5 servers have been running smooth with SELinux enabled. I
can't tell from previous versions since I always disabled it (I was
intimidated by it until I decided to take SOME TIME to read about it and
UNDERSTAND it). Once you grasp the essentials isn't that of a big issue
If you are running the packages that come with your distro and you leave the
stuff in their respective places (/var/www/html etc), you shouldn't be doing
In a nutshell, for me, when I suspect there is something related to SELinux
involved I proceed as follows:
1) I'll check the logs to see if there's any AVC message. If there is...
2) I'll check if this is related to a mislabeled file. If it is, I'll fix the
label. If the file in question is on a standard place...a simple restorecon
should work but if the file is in another place (non-standard location) I'll
need to register that as a local customization to the file contexts (with
3) If the label is correct for the file I'll check if there's a boolean to
control (allow/deny) this action (example: there are booleans to allow ftp
server to serve from home directories or not etc...)
4) If there is no boolean and I'm 100% the access is needed...I'll create a
local custom-policy with audit2allow.
That's basically it.
On the other hand, there are situations like, for example, our RHEL servers
running Oracle databases. There's no way to run SELinux as Oracle won't
support it. I heard they're working on it and in future versions they might
support it (or maybe their current one I'm not sure). In other cases where we
use Symantec Netbackup (the client installed on all servers) we just needed to
change some labels on some specific libraries and that was all. Luckily this
was well documented and there were some KB articles about this.
There has been a lot of progress with SELinux lately. I think you should
reconsider your position and perhaps give it a try on the upcoming CentOS 6
where the targeted policy is much matured.
More information about the CentOS