[CentOS] SELinux - way of the future or good idea but !!!
Steve Clark
sclark at netwolves.com
Mon Nov 29 12:11:07 UTC 2010
On 11/27/2010 09:21 PM, John R. Dennison wrote:
> On Sat, Nov 27, 2010 at 08:23:34PM -0500, Nico Kadel-Garcia wrote:
>
>> The "working system" in that analogy is software, not necessarily nor
>> even likely to be the kernel itself. But yes, it can trash a
>> production critical web or software application that didn't follow the
>> sensible, but often poorly understood, policies of SELinux. This is
>> particularly common with 3rd party web applications, the sort of thing
>> we grab from Sourceforge and try ourselves. (Lilac, the Nagios
>> configuration tool, particularly comes to mind.)
>>
>> I'd have to dig back to rediscover the Lilac issues, but I remember
>> running out of time to sort them all out and having to leave SELinux
>> off of that server.
>>
> heh, fail.
>
> You run it in Permissive mode, you deal with the exceptions as
> they arise while the software is running in its normal
> environment and while its running normally using any of the
> documented methods. You thoroughly test the application in such
> a manner and once you have ironed out any and all issues by
> putting together a custom policy, setting the right SElinux
> booleans, etc, you then enable Enforcing mode. There is really
> no reason that SElinux should have a negative impact on your
> application or server if you use Permissive first.
>
>
>
>
>
> John
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
I don't know how it is now - but I tried running in permissive mode a
few years ago. It would complain about some
file, I would fix the file and the next thing I knew it was complaining
about the same file again, and the file was part
of the redhat installation. After that I gave up and just turned it off.
--
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
http://www.netwolves.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20101129/4b84daa3/attachment.html>
More information about the CentOS
mailing list