[CentOS] SELinux - way of the future or good idea but !!!

Sat Nov 27 00:56:14 UTC 2010
John R. Dennison <jrd at gerdesas.com>

On Sat, Nov 27, 2010 at 10:58:00AM +1100, Alison wrote:
> Hi,
> 
> total newbie on CentOS. Just firing up an install of 5.5 on a
> development webserver. Installed Webmin, Awstats, PHPMyAdmin and
> Drupal successfully. Yet to work on Sendmail and Samba. SELinux in
> enforcing mode, reporting "SELinux preventing ifconfig (ifconfig_t)
> "read write" to /var/webminsessiondb.pag (var_t)".

	There is a reason that control panels are effectively
	unsupported; you just hit on one of those reasons.  Although I
	must admit I don't fully grasp why webmin is referencing
	ifconfig_t.

> Googled the error message without real success in finding fix - bug
> reports showing. Question is whether worth pursuing as SELinux is the
> way of the future. Or is SELinux a good idea that never really made
> it's way into the sun. Thoughts please.

	There are only a small number of corner cases in which SElinux
	is not appropriate; for all other cases it should be enabled.

	It exists for a reason and is shipped fully enabled for a
	reason.  Being able to limit access based on contexts and roles
	is an incredibly powerful tool which greatly improves the
	security of your server and the integrity of your data.

	Following is a list of very useful SElinux resources.  

	http://wiki.centos.org/HowTos/SELinux
	http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
	http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/
	http://fedorasolved.org/security-solutions/selinux-module-building
	http://centoshelp.org/security/selinux-common-commands-troubleshooting

	Some quality time with these resources will allow you to correct
	the SElinux exception you listed above and also give you a much
	better understanding of SElinux as a whole.




							John
-- 
The best argument against democracy is a five minute conversation
with the average voter.

-- Winston Churchill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20101126/4e2f1118/attachment-0005.sig>