[CentOS] SELinux - way of the future or good idea but !!!

Sat Nov 27 01:17:14 UTC 2010
Patrick Lists <centos-list at puzzled.xs4all.nl>

On 11/27/2010 01:53 AM, Eero Volotinen wrote:
> 2010/11/27 Alison<penguin at alisoncc.com>:
>> Hi,
>>
>> total newbie on CentOS. Just firing up an install of 5.5 on a development webserver. Installed Webmin, Awstats, PHPMyAdmin and Drupal successfully. Yet to work on Sendmail and Samba. SELinux in enforcing mode, reporting "SELinux preventing ifconfig (ifconfig_t) "read write" to /var/webminsessiondb.pag (var_t)".
>>
>> Googled the error message without real success in finding fix - bug reports showing. Question is whether worth pursuing as SELinux is the way of the future. Or is SELinux a good idea that never really made it's way into the sun. Thoughts please.
>
> Just turn selinux off. setenforce "0" works without rebooting server,
> but /etc/sysconfig/selinux is correct place to finalize setting..

What's with people recommending to turn off SELinux?! That's just bad 
advice and like recommending people keep their doors unlocked at all 
times. Really, stop doing that. SELinux is there for a reason.

Afaik Webmin does not have a very good reputation when it comes to 
security. With that in mind your advice makes Alison's box much more 
vulnerable.

My advice to Alison is to remove Webmin and use the tools that come with 
CentOS 5.5. Also make sure that phpMyAdmin can only be accessed from 
your local LAN, use strong passwords, turn on a tight firewall and do 
anything else that one should do to keep the bad guys from gaining 
illegal access to your server.

The NSA has some nice guides how to keep your server secure. The guides 
are on this page: 
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml

Regards,
Patrick