Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 05/26/2010 08:44 AM, Benjamin Franz wrote:
>
> I can make a useful argument from experience. Over the last few years,
> as Redhat has progressively deployed SELinux, I have had *several*
> incidents (the most recent only a few weeks ago) where updates to
> SELinux broke existing, stable, systems. Each time sucking up hours of
> my time to diagnose and fix. And (as in this incident) there are not
> always useful error messages to track it with.

Except that in this incident, there WERE useful error messages.  The OP 
simply didn't know that he needed to look in /var/log/audit/audit.log.

> The *theoretical* system security improvement of SELinux is trumped by
> the *practical* observation that I have had existing systems broken by
> SELinux multiple times on the mere handful of systems I have run it on
> in enforcing mode,  but have yet to see a single one of several dozen
> (all internet exposed) up-to-date *non*-SELinux systems hacked.

You are comparing two unlike things.  You can't very well judge the 
benefits of SELinux based on a system which hasn't needed its protection.

> It is a 'safety' feature that is in practice more dangerous to system
> stability than what it is trying to fix.

I advise administrators to test all updates on non-production systems. 
SELinux updates are no exception.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux