[rhelv6-list] selinux (not quite) disabled?
Greg_Swift at aotx.uscourts.gov
Greg_Swift at aotx.uscourts.gov
Fri Dec 3 16:06:00 UTC 2010
Obviously a server is likely to have more than just an out of the box
configuration.
But anyways... if i remember correctly, wasn't one of the changes in the
RHEL6 SELinux the ability to section off where SELinux is enforcing versus
not, so that it isn't an all or nothing thing?
-greg
"Marti, Robert" <RJM002 at shsu.edu> wrote on 12/03/2010 09:31:55 AM:
> Servers get weird applications that don't come with SELinux
> contexts, weird placement of files, etc...
>
> I rarely use anything on my laptops/desktop that isn't in the Fedora
> repos. On my servers, however, I have things like Oracle,
> Blackboard, dotCMS, an other apps that don't play nice -at all- with
> SELinux. Sure, fewer things change on a daily basis, but theres
> *far* more of a starting curve.
>
> Sent from my iPhone
>
> On Dec 3, 2010, at 8:48 AM, "Greg_Swift at aotx.uscourts.gov"
> <Greg_Swift at aotx.uscourts.gov> wrote:
>
> > i'm not saying I've succeeded in convincing people to let me run
SELinux in
> > enforcing anywhere, but think about the argument you just made:
> >
> > "I've got it [SELinux] enabled on my desktop and laptops", which while
> > useful, aren't as ready of targets for hackers (we are talking Linux
not
> > Windows).. Desk/laptop environments are also more broad and varied in
> > software that is run and the potential that you will run into SELinux
> > issues (such as jch's dropbox issue).
> >
> > "on my servers though...[i have it disabled]..." However most servers
are
> > ready targets, with ports open and attractive to someone trying to
break
> > in. Servers tend to have a stable software configuration and use
cases,
> > leading to SELinux being easier to maintain in the long run since
behavior
> > patterns aren't as likely to change constantly. Yes, easier by
comparison,
> > and not saying its "easy".
> >
> > -greg
> >
> > rhelv6-list-bounces at redhat.com wrote on 12/03/2010 06:34:52 AM:
> >
> >>
> >> Right. I've got it enabled on my desktop and laptops. On servers
> > though...
> >>
> >> Sent from my iPhone
> >>
> >> On Dec 3, 2010, at 5:08 AM, "John Haxby" <john.haxby at gmail.com<
> >> mailto:john.haxby at gmail.com>> wrote:
> >>
> >>
> >>
> >> On 3 December 2010 00:59, Marti, Robert <<mailto:RJM002 at shsu.edu
> >>> RJM002 at shsu.edu<mailto:RJM002 at shsu.edu>> wrote:
> >> SELinux scares people, to put it simply. Instead of fixing thinks to
> >> work with it, it gets disabled so no one has to deal with it. I'd
> >> rather fix it, but the normal complaint is lack of time to do it
> >> right. I normally set it to permissive mode and make a note to come
> >> back and address the issues later. So far later hasn't come.
> >>
> >>
> >> This is an argument I have sympathy with.
> >>
> >> However, just short of three years ago I decided enough was enough
> >> and I was going to get to grips with this thing on my laptop. So I
> >> left selinux enabled.when I installed whatever was the current
> >> Fedora at the time.
> >>
> >> As I recall, the only problem I had was with the web server I was
> >> running(*) Fixing that was a matter of ten minutes between me and
> >> google. Since that time I've picked up other selinux stuff
> >> incrementally — I'm far from being an expert but I'm not afraid of
> >> selinux any more and I can make use of it after a fashion. (Fedora
> >> 14 has a problem with some 32 bit apps and selinux but I can live
> >> without dropbox for the moment.)
> >>
> >> jch
> >>
> >>
> >> * yes, on a laptop: you have problem with that? :-)
> >> _______________________________________________
> >> rhelv6-list mailing list
> >> rhelv6-list at redhat.com<mailto:rhelv6-list at redhat.com>
> >> https://www.redhat.com/mailman/listinfo/rhelv6-list
> >>
> >> _______________________________________________
> >> rhelv6-list mailing list
> >> rhelv6-list at redhat.com
> >> https://www.redhat.com/mailman/listinfo/rhelv6-list
More information about the rhelv6-list
mailing list