I agree that selinux is a step in the right direction, since it starts to get past that "root owns everything" paradigm, but I would be much more comfortable with it if I could *easily* view, create, and adjust policies/context. As it stands now, selinux is a patch, not a fix. For example, on reboot my mysql server doesn't start, but selinux isn't mentioned as a culprit during boot. As a result I spend time investigating *other* problems, then finally disable selinux to see if it works. Voila! So, now I can restorecon on mysql, reenable selinux and all is well - Except that I had to GUESS at the cause. Selinux (and it's current state of integration with RedHat) isn't quite there yet. Cheers, Arpotu. > On Wed, October 31, 2007 9:58 pm, mark wrote: >> Bill Hillier wrote: >>> NFlorez@xxxxxxxxx wrote: >>>> How do I disable and enable Selinux? >>>> >>> setenforce command .... >>> >>> setenforce 0 >>> setenforce 1 >> >> And reboot. And forget about it. It's a honkin' pain in the neck, unless >> you're >> running a completely canned system, and the users are only allowed to do >> what >> you've allowed them to do. May be fine for, oh, the Pentagon or the CIA, >> but in >> the real world, it's security through making it next to impossible to >> *do* >> anything. > > Is it a pain sometimes? You betcha. I think it's worth it, though. I have, > on occasion been stopped temporarily from doing what I wanted to do, but > now that I understand how better how it works, I have no problems with it. > If someone *does* manage to crack in and take over, let's say apache, I'll > be very glad I didn't 'setenforce 0'. > > Just my $0.02 worth. > > Bill > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
