Bob Hoffman wrote: > On 6/22/2012 9:50 AM, m.roth at 5-cent.us wrote: >> Bob Hoffman wrote: >>> On 6/21/2012 12:44 PM, Keith Roberts wrote: >>>> On Thu, 21 Jun 2012, Bob Hoffman wrote: >>>>> From: Bob Hoffman<bob at bobhoffman.com> >>>>> <snip> >> Another thing to consider (and I really, really don't enjoy suggesting >> it), is selinux. Turn it on to at least permissive, and it'll bitch and >> moan if something's changed. Turn it to enforcing, and *nothing* will be >> allowed to be changed. It is, however, a royal pain to configure, esp. >> when you want to be able to allow a directory for users to put pics. >> > Would love to use SElinux. I searched high and low for any kind of > manual and there was none. Look for RHEL's 5 or 6; there's professional documentation. Not that anything's that wonderful. There's also the selinux list. <snip> > One thing I learned...SElinux in permissive mode only gives a warning > once for an issue...and never again. Makes it hard > to play with it that way, would prefer a constant error variable to keep > them coming. Not true. It will issue an AVC every time something tries to happen. Big things to know: a) ll -Z shows you the selinux context b) chcon [-R] -[urt] <whatever> <file or directory> c) getsebool and setsebool mark