On Saturday 27 November 2010 18:57:50 Benjamin Franz wrote: > On 11/26/2010 05:17 PM, Patrick Lists wrote: > > What's with people recommending to turn off SELinux?! That's just bad > > advice and like recommending people keep their doors unlocked at all > > times. Really, stop doing that. SELinux is there for a reason. > > SELinux is like a automatic collision avoidance system for an airplane > that unpredictably crashes the plane during normal flight. While the > basic idea is good, until it stops crashing planes without warning it > isn't going to be accepted. I don't understand this analogy. I have never seen SELinux crashing the system or doing some damage otherwise. What experience do you have with SELinux crashing anything on a working system? > It is not enough that it mitigates certain classes of attacks when it > actively breaks running systems *more often* than it mitigates attacks. > And that is my personal experience. Every year or two I try turning it > on on a few systems. And then, after it suddenly decides to break a > previously stable system - it gets turned back off. If your system was running for some time with SELinux disabled (not in permissive mode, but disabled), turning it on without doing a proper relabeling of the filesystem is known to be a very Bad Idea. Typically all problems that occur in this situation can be eliminated by relabeling the whole filesystem once. Maybe that was the step you missed? HTH, :-) Marko