RE: Feedback on Fedora Core 4 test 2 review

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2005-04-27 at 16:18 -0400, Erik Hemdal wrote:
> 
> > SELinux update - Significant number of additional deamons 
> > will protected by SELinux in Fedora Core 4 
> 
> Lukewarm.  Some of my students have had significant problems with SELinux,
> and the advice they have received is generally along the lines of "Oh yeah,
> it doesn't work right on Fedora, so just turn it off."

Ouch!

Since you have students involved, I'll risk the off-topic reply. :)

As with any new security paradigm, existing applications are likely to
have a few stumbling spots.

The targeted policy for Fedora Core 4 works _extremely_ well.  The
updates for FC4 resolve many of the problems people had in FC3.  The
policy patching community has increased a lot since inclusion in Fedora
Core.

Usually a person is having a single problem with SELinux, such as a
legacy CGI application getting AVC errors.

The solution, aside from writing a few pieces of policy to fix it[1], is
to disable SELinux for the daemon, i.e., Apache.[2]  

Unfortunately, too many people are told to entirely disable SELinux.

This reminds me of people being told to turn off ipchains or iptables if
they couldn't get a working firewall rule for their application.

I don't think SELinux is going away anytime soon, so we might as well
get familiar with it.

cheers - Karsten

[1] To quote myself on writing small policy pieces:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-section-0120.html

[2] Changing a Boolean setting to disable protection for a daemon:

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0068.html#RHLCOMMON-SECTION-0077

-- 
Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/
gpg fingerprint:  2680 DBFD D968 3141 0115    5F1B D992 0E06 AD0E 0C41   
                       Red Hat SELinux Guide
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Fedora Mentors]     [Kernel Developers]     [Fedora Packaging]     [Fedora Desktop]     [PAM]     [Gimp Users]     [Yosemite Camping]

  Powered by Linux