[CentOS] SELinux - way of the future or good idea but !!!

Steve Clark sclark at netwolves.com
Mon Nov 29 12:11:07 UTC 2010

On 11/27/2010 09:21 PM, John R. Dennison wrote:
> On Sat, Nov 27, 2010 at 08:23:34PM -0500, Nico Kadel-Garcia wrote:
>> The "working system" in that analogy is software, not necessarily nor
>> even likely to be the kernel itself. But yes, it can trash a
>> production critical web or software application that didn't follow the
>> sensible, but often poorly understood, policies of SELinux. This is
>> particularly common with 3rd party web applications, the sort of thing
>> we grab from Sourceforge and try ourselves. (Lilac, the Nagios
>> configuration tool, particularly comes to mind.)
>> I'd have to dig back to rediscover the Lilac issues, but I remember
>> running out of time to sort them all out and having to leave SELinux
>> off of that server.
> 	heh, fail.
> 	You run it in Permissive mode, you deal with the exceptions as
> 	they arise while the software is running in its normal
> 	environment and while its running normally using any of the
> 	documented methods.  You thoroughly test the application in such
> 	a manner and once you have ironed out any and all issues by
> 	putting together a custom policy, setting the right SElinux
> 	booleans, etc, you then enable Enforcing mode.  There is really
> 	no reason that SElinux should have a negative impact on your
> 	application or server if you use Permissive first.
> 							John
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
I don't know how it is now - but I tried running in permissive mode a 
few years ago. It would complain about some
file, I would fix the file and the next thing I knew it was complaining 
about the same file again, and the file was part
of the redhat installation. After that I gave up and just turned it off.

Stephen Clark
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20101129/4b84daa3/attachment.html>

More information about the CentOS mailing list