Re: SELinux - way of the future or good idea but !!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 30/11/10 03:52, cpolish@xxxxxxxxxxxx wrote:
> Christopher Chan wrote:
>> Les Mikesell wrote:
[...snip...]
>> As was already mentioned in another post, run in permissive mode, for a 
>> few days if you must, and go through all the things the software does 
>> and voila! setroubleshoot and/or logs tell you what needs doing.
> 
> Very optimistic, that. In my shop, some things run annually.
> A comprehensive system test = production, for a year. Just
> this morning a 1099 (annual tax-form) script failed in test. 

So you would rather disable SELinux completely - 365 days a year, rather
than to switch to permissive mode when running this script once a year?

I'm sorry, but I'm not able follow that logic.

In fact after running successfully in permissive mode once, you should
be able to figure out what your script does, use audit2allow and get a
proper SELinux module for it ready in the matter of minutes or hours
(depending on how invasive the script is).


kind regards,

David Sommerseth

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux