On Mon, 2005-11-14 at 16:28 -0700, Craig White wrote: > I was a bit ticked off about it actually. I asked a simple question > about the messages I was getting and find 30 messages debating the value > of selinux on my thread and one response to tell me to look at the > documentation that I had read through a million times and understood > very little. Actually, there were a few "disable" responses, nothing big, but nothing too negative. Then Peter got on his high horse so I, of course, had to get on a higher one (you know me ;-). I think you pegged it on the nose, the Fedora topic-specific lists tend to be far more helpful. God knows I learn a lot just from lurking on various lists -- from x86-64 to DeviceMapper to SELinux. > It probably wouldn't have been so bad if the topic hadn't been debated > monthly and the same people saying the same things and thus no > enlightenment. I agree. I could have summarized my comments in 1-2 posts, instead of the tit-for-tat. My apologies. I did wait initially, because most of the posts were just "disable" and left it at that. But once I see more "absolutist" attitudes, I tend to cop one myself. I like to think my analogy to a firewall is fairly accurate. SELinux is like a deny all outgoing firewall -- it's just going to break things no matter what you do. If you put it in permissive mode, like an allow all outgoing, less things are going to break -- and less things need to be accommodated. Targeted is more like disallowing certain protocols from getting out. It's what most people choose when they really don't have time to deal with testing. But some things will always break, _regardless_ of what is and isn't enabled -- even if just part of the system is enabled. > Anyway...the solution...(Note - I also included my solution to MySQL) > for the record... > # cat /etc/selinux/config > # This file controls the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - SELinux is fully disabled. > SELINUX=Enforcing > # SELINUXTYPE= type of policy in use. Possible values are: > # targeted - Only targeted network daemons are protected. > # strict - Full SELinux protection. > SELINUXTYPE=targeted > # yum install selinux-targeted-policy-sources > # cat /etc/selinux/targeted/src/policy/domains/local.te > ## http to mysql > allow httpd_t initrc_t:unix_stream_socket connectto; > ## dbus > allow unconfined_t initrc_t:dbus send_msg; > # cd /etc/selinux/targeted/src/policy > # make reload > Now all of those arrogant people who want to just shut off SELinux > because they either: > a. Feel they can secure their systems without it > b. Don't understand enough of it to justify using it > c. Can't be bothered > Please don't advise people to just shut it off. Tell them to set SELinux > to 'permissive' And I think that's the best suggestion. It gives you a lot of the warnings, and is good for post-compromises (when they do occur). > You may all resume your debate now... ;-) > Trust me it won't solve anything. You're right, as usual Craig. I'll work on making my points in 1-2 posts and leave it at that. -- Bryan J. Smith b.j.smith@xxxxxxxx http://thebs413.blogspot.com ---------------------------------------------------------------------- The best things in life are NOT free - which is why life is easiest if you save all the bills until you can share them with the perfect woman