On 03/16/2018 10:38 PM, Phil Perry wrote:
On 16/03/18 18:37, Alexander Dalloz wrote:
Am 16.03.2018 um 13:09 schrieb hw:
On 03/16/2018 12:14 PM, Richard Grainger wrote:
Yet again I could not find any documentation explaining how to do
basic
things like this :( Selinux is more like a curse than anything
else :( Why
is there not even a good documentation?
More trolling?
Show me a good documentation and/or name good reasons not to disable
selinux. Considering how much trouble it gives, there have to be
*very* good reasons to keep it enabled.
Would you turn off your firewall because you don't understand how it
works? Or any security feature for that matter?
That depends. If the anti-theft system of your car prevents you from
driving it, wouldn´t you turn it off so you can drive to work?
Invest a few hours of your life reading the documentation. There are
plenty of good examples listed below.
You can´t read documentation when you can´t find it.
I've never had an SELinux problem I couldn't solve or work around in 2
minutes. Sometimes figuring out the *right* solution might take a little
longer, but turning it off is very rarely going to be the right solution.
I don´t believe that. First you need to figure out if it´s a selinux
related thing, and to do that, you need to figure out how to figure that
out. Once you figured it out, you need to figure out how to solve it.
That usually takes hours or even days.
Useful resources for SELinux:
http://wiki.centos.org/HowTos/SELinux
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/
http://www.youtube.com/watch?v=bQqX3RWn0Yw
http://opensource.com/business/13/11/selinux-policy-guide
https://lists.centos.org/mailman/listinfo/centos
I´ve seen some of those, finding a hint here and there, but not a really
good documentation yet.
and don't forget the definitive Red Hat documentation here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/
SELinux User's and Administrator's Guide at the bottom of the page.
Download it and read it.
That looks promising, though it seems to make quite a hype of it. It
even says wrong things, like: Mandatory access control "enables
information to be protected from legitimate users with limited
authorization as well as from authorized users who have unwittingly
executed malicious applications."[1] Perhaps there are implementations
of MAC which do that; selinux does not. It´s even a thing I´ve asked
about quite a while ago, and there didn´t seem to be a way to achieve it
with selinux.
So what do you really gain from selinux, and is that worthwhile all the
trouble and the hours spent to fix the problems it creates? What about
the impact on performance?
[1]:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-introduction
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
