[CentOS] SELinux - way of the future or good idea but !!!

Sun Nov 28 12:06:15 UTC 2010
Marko Vojinovic <vvmarko at gmail.com>

On Sunday 28 November 2010 03:45:54 Nico Kadel-Garcia wrote:
> On Sat, Nov 27, 2010 at 9:21 PM, John R. Dennison <jrd at gerdesas.com> wrote:
> >        You run it in Permissive mode, you deal with the exceptions as
> >        they arise while the software is running in its normal
> >        environment and while its running normally using any of the
> >        documented methods.  You thoroughly test the application in such
> >        a manner and once you have ironed out any and all issues by
> >        putting together a custom policy, setting the right SElinux
> >        booleans, etc, you then enable Enforcing mode.  There is really
> >        no reason that SElinux should have a negative impact on your
> >        application or server if you use Permissive first.
> 
> You forgot "take on becoming the SELinux integration  manager for that
> project with every single update".

Every single update? Update of what?

SELinux policy updates do not modify any local policy configuration and 
settings (if you have them set up in a proper way). It works just as John 
explained above --- run SELinux in permissive mode in usual working 
environment and see if there are any denials. To begin with, if all other apps 
on your machine are ok, there shouldn't be any denials. If there are, it is 
typically either a bug in the app causing the denial, or insecure configuration 
settings for that app. In both cases it has nothing to do with SELinux and 
should be addressed elsewhere. SELinux is actually doing you a favor by 
pointing out security holes in your system. Still, if you decide that you 
still want to use the buggy and insecure app/onfiguration, you can modify local 
SELinux settings to allow access. You do it once, and it works. Updating 
SELinux policy will not change that.

If you are talking about updating a custom app that keeps conflicting with 
SELinux, then it's the problem with the app itself --- collect all denials and 
report a bug upstream against that app. No program that works correctly should 
ever produce any denials. If upstream don't care, you chose a bad app for your 
system. Especially if it is a production system.

In either case, it doesn't require any serious maintenance time from the 
sysadmin. Just one afternoon to learn how to use SELinux properly.

HTH, :-)
Marko