[CentOS] SELinux - way of the future or good idea but !!!
vvmarko at gmail.com
Mon Nov 29 08:14:39 EST 2010
On Monday 29 November 2010 00:55:47 Nico Kadel-Garcia wrote:
> On Sun, Nov 28, 2010 at 10:39 AM, Bob McConnell <rmcconne at lightlink.com>
> >> fault of SELinux, and advocating that SELinux is bad because some
> >> manager doesn't know about security is completely wrong IMHO. And
> >> supporting advice given to people on this list to turn off SELinux
> >> because some devs in some company don't do their job right is also
> >> completely wrong.
> No, I quesiton its utility because the engineering effort is
> burdensome, it wastes testing cycles best spent elsewhere, and the
> error messages are.... less than helpful.
Just a small suggestion regarding the error messages --- take a look at
setroubleshoot, it was designed to help out with making AVC denials more
human-friendly. And it typically works quite well.
When triggered by a denial, setroubleshoot alerts the user, explains what went
wrong, why it went wrong and what options you have for fixing it. All that in
nice plain english :-). Typically it also tells you the exact set of commands
you need to execute if you wish to modify the policy to allow that particular
access. If you are aware of the risks and know what you are doing, a couple of
copy&paste commands in the root prompt removes the SELinux restrictions for
good. It also works in permissive mode, if you wish to tweak your local policy
without impacting a runtime environment.
Of course, it is not always a good idea to modify the policy (it would be
better to remove the problem at app/config level), but sometimes one doesn't
have a choice, as in your case. :-)
More information about the CentOS