On 11/27/2010 09:21 PM, John R. Dennison wrote: > On Sat, Nov 27, 2010 at 08:23:34PM -0500, Nico Kadel-Garcia wrote: > >> The "working system" in that analogy is software, not necessarily nor >> even likely to be the kernel itself. But yes, it can trash a >> production critical web or software application that didn't follow the >> sensible, but often poorly understood, policies of SELinux. This is >> particularly common with 3rd party web applications, the sort of thing >> we grab from Sourceforge and try ourselves. (Lilac, the Nagios >> configuration tool, particularly comes to mind.) >> >> I'd have to dig back to rediscover the Lilac issues, but I remember >> running out of time to sort them all out and having to leave SELinux >> off of that server. >> > heh, fail. > > You run it in Permissive mode, you deal with the exceptions as > they arise while the software is running in its normal > environment and while its running normally using any of the > documented methods. You thoroughly test the application in such > a manner and once you have ironed out any and all issues by > putting together a custom policy, setting the right SElinux > booleans, etc, you then enable Enforcing mode. There is really > no reason that SElinux should have a negative impact on your > application or server if you use Permissive first. > > > > > > John > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > I don't know how it is now - but I tried running in permissive mode a few years ago. It would complain about some file, I would fix the file and the next thing I knew it was complaining about the same file again, and the file was part of the redhat installation. After that I gave up and just turned it off. -- Stephen Clark *NetWolves* Sr. Software Engineer III Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark at netwolves.com http://www.netwolves.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20101129/4b84daa3/attachment-0005.html>