On 3 January 2012 02:30, Bennett Haselton <bennett at peacefire.org> wrote: > In other words, when SELinux causes a problem, it can take hours or days > to find out that SELinux is the cause -- and even then you're not done, > because you have to figure out a workaround if you want to fix the > problem while keeping SELinux turned on. Unfortunately, good security is hard. I didn't understand SELinux a few years back and turned it off but didn't realise that a php application on my webserver left me vulnerable. Sure enough, one day I was attacked but luckily I had set the permissions up very tightly and they were unable to cause any damage. These days, I wouldn't leave it to chance and would keep SELinux as an additional layer of security; yes it's annoying at times, yes it can be difficult to get right but investing a few hours now is better than taking your critical systems down for days in the future. There are lots of resources out there to help you understand it - ones I have used in the past include: http://www.amazon.co.uk/SELinux-Source-Security-Enhanced-Linux/dp/0596007167/ref=sr_1_2?ie=UTF8&qid=1325582583&sr=8-2 http://www.ibm.com/developerworks/linux/library/l-selinux/ http://www.ibm.com/developerworks/linux/library/l-rbac-selinux/ SELinux isn't a panacea and should be combined with other security precautions, but it will help you when the attackers come knocking on your server if you take the time to configure it properly. Ben