On 11/27/2010 09:21 PM, John R. Dennison wrote:
On Sat, Nov 27, 2010 at 08:23:34PM -0500, Nico Kadel-Garcia wrote:
The "working system" in that analogy is software, not necessarily nor
even likely to be the kernel itself. But yes, it can trash a
production critical web or software application that didn't follow the
sensible, but often poorly understood, policies of SELinux. This is
particularly common with 3rd party web applications, the sort of thing
we grab from Sourceforge and try ourselves. (Lilac, the Nagios
configuration tool, particularly comes to mind.)
I'd have to dig back to rediscover the Lilac issues, but I remember
running out of time to sort them all out and having to leave SELinux
off of that server.
heh, fail.
You run it in Permissive mode, you deal with the exceptions as
they arise while the software is running in its normal
environment and while its running normally using any of the
documented methods. You thoroughly test the application in such
a manner and once you have ironed out any and all issues by
putting together a custom policy, setting the right SElinux
booleans, etc, you then enable Enforcing mode. There is really
no reason that SElinux should have a negative impact on your
application or server if you use Permissive first.
John
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
I don't know how it is now - but I tried
running in permissive mode a few years ago. It would complain about some
file, I would fix the file and the next thing I knew it was complaining
about the same file again, and the file was part
of the redhat installation. After that I gave up and just turned it off.
|
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
