[rhelv6-list] selinux (not quite) disabled?

Fri Dec 3 15:17:41 UTC 2010

It is maybe a bit difficult to get started, but it is doable on
a server as well.  I am beginning a transition from Solaris 10
to RHEL6 for our main server and have found that it just takes
dealing with each new issue once.  Your best friend is the
sealert -a command applied to the audit log.  I have (so far)
only had to make one local SELinux policy and had to make use
of chcon in a few other situations.

Admittedly, this is much easier because I am able to start
from scratch with a system that will not be deployed until
I am happy with it.  But, I think that having SELinux running
will be a considerable asset.

Andy

On Fri, 2010-12-03 at 08:16 -0600, Greg_Swift at aotx.uscourts.gov wrote:
> i'm not saying I've succeeded in convincing people to let me run SELinux in
> enforcing anywhere, but think about the argument you just made:
> 
> "I've got it [SELinux] enabled on my desktop and laptops", which while
> useful, aren't as ready of targets for hackers (we are talking Linux not
> Windows)..  Desk/laptop environments are also more broad and varied in
> software that is run and the potential that you will run into SELinux
> issues (such as jch's dropbox issue).
> 
> "on my servers though...[i have it disabled]..." However most servers are
> ready targets, with ports open and attractive to someone trying to break
> in.  Servers tend to have a stable software configuration and use cases,
> leading to SELinux being easier to maintain in the long run since behavior
> patterns aren't as likely to change constantly.  Yes, easier by comparison,
> and not saying its "easy".
> 
> -greg
> 
> rhelv6-list-bounces at redhat.com wrote on 12/03/2010 06:34:52 AM:
> 
> >
> > Right. I've got it enabled on my desktop and laptops. On servers
> though...
> >
> > Sent from my iPhone
> >
> > On Dec 3, 2010, at 5:08 AM, "John Haxby" <john.haxby at gmail.com<
> > mailto:john.haxby at gmail.com>> wrote:
> >
> >
> >
> > On 3 December 2010 00:59, Marti, Robert <<mailto:RJM002 at shsu.edu
> > >RJM002 at shsu.edu<mailto:RJM002 at shsu.edu>> wrote:
> > SELinux scares people, to put it simply. Instead of fixing thinks to
> > work with it, it gets disabled so no one has to deal with it. I'd
> > rather fix it, but the normal complaint is lack of time to do it
> > right. I normally set it to permissive mode and make a note to come
> > back and address the issues later. So far later hasn't come.
> >
> >
> > This is an argument I have sympathy with.
> >
> > However, just short of three years ago I decided enough was enough
> > and I was going to get to grips with this thing on my laptop.  So I
> > left selinux enabled.when I installed whatever was the current
> > Fedora at the time.
> >
> > As I recall, the only problem I had was with the web server I was
> > running(*)   Fixing that was a matter of ten minutes between me and
> > google.   Since that time I've picked up other selinux stuff
> > incrementally — I'm far from being an expert but I'm not afraid of
> > selinux any more and I can make use of it after a fashion.   (Fedora
> > 14 has a problem with some 32 bit apps and selinux but I can live
> > without dropbox for the moment.)
> >
> > jch
> >
> >
> > * yes, on a laptop: you have problem with that? :-)