Re: SELinux - way of the future or good idea but !!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sat, Nov 27, 2010 at 08:23:34PM -0500, Nico Kadel-Garcia wrote:
> 
> The "working system" in that analogy is software, not necessarily nor
> even likely to be the kernel itself. But yes, it can trash a
> production critical web or software application that didn't follow the
> sensible, but often poorly understood, policies of SELinux. This is
> particularly common with 3rd party web applications, the sort of thing
> we grab from Sourceforge and try ourselves. (Lilac, the Nagios
> configuration tool, particularly comes to mind.)
> 
> I'd have to dig back to rediscover the Lilac issues, but I remember
> running out of time to sort them all out and having to leave SELinux
> off of that server.

	heh, fail.

	You run it in Permissive mode, you deal with the exceptions as
	they arise while the software is running in its normal
	environment and while its running normally using any of the
	documented methods.  You thoroughly test the application in such
	a manner and once you have ironed out any and all issues by
	putting together a custom policy, setting the right SElinux
	booleans, etc, you then enable Enforcing mode.  There is really
	no reason that SElinux should have a negative impact on your
	application or server if you use Permissive first.





							John
-- 
It is not bigotry to be certain we are right; but it is bigotry to be unable
to imagine how we might possibly have gone wrong.

-- G. K. Chesterton

Attachment: pgpWSvrIuvD0R.pgp
Description: PGP signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux