(SELinux is a great idea and for a system that's likely to be under a lot<br>
of attacks you should have SELinux in its most restrictive mode for<br>
safety.)<br><br>Yea, that's our issue. We do security training, so while we're not an especially profitable target, we're a prestige target. Security guy explained to me that people mostly just want to embarrass us.<br>
<br>Bean<br><br><br><div class="gmail_quote">On Sun, May 20, 2012 at 9:19 PM, Jim Ockers <span dir="ltr"><<a href="mailto:ockers@ockers.net" target="_blank">ockers@ockers.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I agree with Collins, unless you are extremely diligent at being a<br>
sysadmin and also very knowledgeable about SELinux and how to<br>
reconfigure policies, SELinux can be a real nuisance.<br>
<br>
SELinux is a great idea and for a system that's likely to be under a lot<br>
of attacks you should have SELinux in its most restrictive mode for<br>
safety. However my experiences with it have been trying to help someone<br>
troubleshoot why the webserver can't read some apparently readable file<br>
that other processes can read, or why some binary or cgi won't execute<br>
even though it appears to work fine when they try to run it every other<br>
way, and so forth. Whenever a server is acting squirrely, I now have to<br>
remember to check if SELinux might be getting in the way of some system<br>
call etc.<br>
<span class="HOEnZb"><font color="#888888"><br>
Jim<br>
</font></span><div class="im HOEnZb"><br>
Collins Richey wrote:<br>
> RedHat distros have turned this on by default for a long time now. At<br>
> work we turn it off. Most all of our systems are behind substantial<br>
> firewalls, so we don't need the hassle of dealing with selinux. Almost<br>
> always when we find a system that's acting especially squirrely, we<br>
> find that we forgot to disable selinux.<br>
><br>
> Any more, we don't even activate iptables!!!<br>
><br>
><br>
<br>
</div><div class="HOEnZb"><div class="h5">_______________________________________________<br>
clue mailing list: <a href="mailto:clue@cluedenver.org">clue@cluedenver.org</a><br>
For information, account preferences, or to unsubscribe see:<br>
<a href="http://cluedenver.org/mailman/listinfo/clue" target="_blank">http://cluedenver.org/mailman/listinfo/clue</a><br>
</div></div></blockquote></div><br>