[CentOS] selinux on/off percentage

Mon Apr 2 15:37:17 UTC 2012
Ned Slider <ned at unixmail.co.uk>

On 02/04/12 15:10, Lamar Owen wrote:
> On Monday, April 02, 2012 08:51:46 AM Les Mikesell wrote:
>> Another statistic I'd like to see is how much admin time this costs on
>> the average to learn and implement.
>
> No more than proper firewalling techniques cost, really.
>
>> Has anyone really measured this?
>
> Probably not.
>
>>    Are there training courses specifically to cover it?   You might get
>> an idea from the length and cost of the training if it covers all the
>> quirks.   These days most of the built-in stuff is pre-configured for
>> someone's idea of working (apache not being able to send mail doesn't
>> match my definition, though...), but any third-party or local
>> additions to a targeted service will take time to set up.
>
> EL6 greatly improves the admin interface for SELinux with policycoreutils-gui as then all the booleans are quickly available (like the boolean that turns on or off httpd's ability to send e-mail (or connect to a network socket, etc)).  The booleans (at least most of them) are in EL5, but the interface isn't nearly as well documented (I know, many would like a TUI with the click boxes; maybe one is out there, maybe not; I'm not allergic to a remote GUI being available on a server).
>
> The documentation for EL6 is better in this regard as well.  But, really, if you're having an issue with httpd getting 'access denied' things, then you can simply:
> # getsebool -a |grep http
>
> The booleans have reasonable, and readable, names that make sense, for the most part.  Find the boolean that controls the feature you want, and use setsebool to set it to on.
>
> It's not hard, and the admin overhead once you're used to it is a few seconds at most.  It becomes another 'firewall-like' item to check off, really, as long as you do things at leat in a semi-standard way.
>
> And ls-lZ is your friend, along with chcon.  It is one more step, but, honestly, it's not nearly as big a step as firewalling (ipchains/iptables) was ten/fifteen years ago.  At least not with EL6; but EL5U8 is better than EL5 GA was.
>

Wow, what a refreshing change. How nice it is to read a well balanced 
*informed* point of view on SELinux rather than the usual hysteria from 
those who can't be bothered to RTFM.

To get to the OPs original question - I'm guessing it's about the same 
percentage as the number of people who 10 years ago would turn off their 
firewall whenever they couldn't get something to work. Gradually over 
time they were convinced this was a bad idea and you needed a firewall. 
Likewise, you need SELinux so the sooner you get to grips with it the 
better. It's not *that* hard.