[clue] Who's using SELinux?
Jim Ockers
ockers at ockers.net
Sun May 20 21:19:15 MDT 2012
I agree with Collins, unless you are extremely diligent at being a
sysadmin and also very knowledgeable about SELinux and how to
reconfigure policies, SELinux can be a real nuisance.
SELinux is a great idea and for a system that's likely to be under a lot
of attacks you should have SELinux in its most restrictive mode for
safety. However my experiences with it have been trying to help someone
troubleshoot why the webserver can't read some apparently readable file
that other processes can read, or why some binary or cgi won't execute
even though it appears to work fine when they try to run it every other
way, and so forth. Whenever a server is acting squirrely, I now have to
remember to check if SELinux might be getting in the way of some system
call etc.
Jim
Collins Richey wrote:
> RedHat distros have turned this on by default for a long time now. At
> work we turn it off. Most all of our systems are behind substantial
> firewalls, so we don't need the hassle of dealing with selinux. Almost
> always when we find a system that's acting especially squirrely, we
> find that we forgot to disable selinux.
>
> Any more, we don't even activate iptables!!!
>
>
More information about the clue
mailing list