On Wed, 2005-04-27 at 16:18 -0400, Erik Hemdal wrote: > > > SELinux update - Significant number of additional deamons > > will protected by SELinux in Fedora Core 4 > > Lukewarm. Some of my students have had significant problems with SELinux, > and the advice they have received is generally along the lines of "Oh yeah, > it doesn't work right on Fedora, so just turn it off." Ouch! Since you have students involved, I'll risk the off-topic reply. :) As with any new security paradigm, existing applications are likely to have a few stumbling spots. The targeted policy for Fedora Core 4 works _extremely_ well. The updates for FC4 resolve many of the problems people had in FC3. The policy patching community has increased a lot since inclusion in Fedora Core. Usually a person is having a single problem with SELinux, such as a legacy CGI application getting AVC errors. The solution, aside from writing a few pieces of policy to fix it[1], is to disable SELinux for the daemon, i.e., Apache.[2] Unfortunately, too many people are told to entirely disable SELinux. This reminds me of people being told to turn off ipchains or iptables if they couldn't get a working firewall rule for their application. I don't think SELinux is going away anytime soon, so we might as well get familiar with it. cheers - Karsten [1] To quote myself on writing small policy pieces: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-section-0120.html [2] Changing a Boolean setting to disable protection for a daemon: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0068.html#RHLCOMMON-SECTION-0077 -- Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 Red Hat SELinux Guide http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
Attachment:
signature.asc
Description: This is a digitally signed message part
