SELinux?

[Arpotu]

I agree that selinux is a step in the right direction, since it starts to
get past that "root owns everything" paradigm, but I would be much more
comfortable with it if I could *easily* view, create, and adjust
policies/context.  As it stands now, selinux is a patch, not a fix.  For
example, on reboot my mysql server doesn't start, but selinux isn't
mentioned as a culprit during boot.  As a result I spend time
investigating *other* problems, then finally disable selinux to see if it
works.  Voila!  So, now I can restorecon on mysql, reenable selinux and
all is well - Except that I had to GUESS at the cause.

Selinux (and it's current state of integration with RedHat) isn't quite
there yet.

Cheers,
Arpotu.


> On Wed, October 31, 2007 9:58 pm, mark wrote:
>> Bill Hillier wrote:
>>> NFlorez at sdcwa.org wrote:
>>>> How do I disable and enable Selinux?
>>>>
>>> setenforce command ....
>>>
>>> setenforce 0
>>> setenforce 1
>>
>> And reboot. And forget about it. It's a honkin' pain in the neck, unless
>> you're
>> running a completely canned system, and the users are only allowed to do
>> what
>> you've allowed them to do. May be fine for, oh, the Pentagon or the CIA,
>> but in
>> the real world, it's security through making it next to impossible to
>> *do*
>> anything.
>
> Is it a pain sometimes? You betcha. I think it's worth it, though. I have,
> on occasion been stopped temporarily from doing what I wanted to do, but
> now that I understand how better how it works, I have no problems with it.
> If someone *does* manage to crack in and take over, let's say apache, I'll
> be very glad I didn't 'setenforce 0'.
>
> Just my $0.02 worth.
>
> Bill
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>