[clue] Who's using SELinux?

Mike Bean beandaemon at gmail.com
Mon May 21 08:36:36 MDT 2012


(SELinux is a great idea and for a system that's likely to be under a lot
of attacks you should have SELinux in its most restrictive mode for
safety.)

Yea, that's our issue.  We do security training, so while we're not an
especially profitable target, we're a prestige target.  Security guy
explained to me that people mostly just want to embarrass us.

Bean


On Sun, May 20, 2012 at 9:19 PM, Jim Ockers <ockers at ockers.net> wrote:

> I agree with Collins, unless you are extremely diligent at being a
> sysadmin and also very knowledgeable about SELinux and how to
> reconfigure policies, SELinux can be a real nuisance.
>
> SELinux is a great idea and for a system that's likely to be under a lot
> of attacks you should have SELinux in its most restrictive mode for
> safety. However my experiences with it have been trying to help someone
> troubleshoot why the webserver can't read some apparently readable file
> that other processes can read, or why some binary or cgi won't execute
> even though it appears to work fine when they try to run it every other
> way, and so forth.  Whenever a server is acting squirrely, I now have to
> remember to check if SELinux might be getting in the way of some system
> call etc.
>
> Jim
>
> Collins Richey wrote:
> > RedHat distros have turned this on by default for a long time now. At
> > work we turn it off. Most all of our systems are behind substantial
> > firewalls, so we don't need the hassle of dealing with selinux. Almost
> > always when we find a system that's acting especially squirrely, we
> > find that we forgot to disable selinux.
> >
> > Any more, we don't even activate iptables!!!
> >
> >
>
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20120521/c2e32eb1/attachment.html 


More information about the clue mailing list