On Tue, 6 Sep 2011, John Doe wrote: > Nothing wrong; I already read it, and will read the redhat doc... > Just looking for all the doc I can find on the subject. > And maybe also for the hidden secret magic button that will auto-write > the hundreds custom policies we will need... > Creating a custom policy for an apache to use a non standard rootdir or > port seems indeed easy with audit2allow... But several of our servers > are more or less 10% standard (rpm based) and 90% custom, with dozens > of apps/scripts listening on dozens non standard ports, sockets, accessing > many files here and there... > So the task is a bit daunting. > > This illustrates a point I was making to Russ offlist...the only way I see to implement selinux in an 'enterprise' environment is to do it on a major version revision. And you will need buy in up to the 'C' level to beat back the murderous hordes of programmers and admins whose stuff will 'break'. Or you sign up to an endless treadmill of piecemeal selinux admin. (IMO selinux is great...) ---------------------------------------------------------------------- Jim Wildman, CISSP, RHCE jim at rossberry.com http://www.rossberry.net "Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one." Thomas Paine