[aklug] Re: selinux more trouble than it's worth?

SELinux was designed for ultra high security environments with input by the
NSA as I remember. If you don't have that high a need don't use it. It is
as Lee has said a lot more trouble than it's worth. The initial learning
curve is very rugged.

Larry

On Tuesday 02 June 2009 11:39:49 Lee wrote:
> That's 'permissive' mode. That's what it is at now (which I fortunately
> discovered early on, but I still get all the stupid popup boxes on the
> desktop). Plus centos (and presumably RHEL as well) 'helps' you by
> re-activating the 'active' mode on reboot. Yes, I know we're supposed to
> never have to reboot, but I do anyway, particularly on setups and installs.
>
> I could do a cron job to reset it to 'permissive', but that's ugly, and
> shouldn't even have to do that at all.
>
> Thanks though.
>
> Lee
>
>
> ---------- Original Message -----------
> From: barsalou <barjunk@attglobal.net>
> To: Lee <lee@afabco.org>
> Cc: aklug@aklug.org
> Sent: Tue, 02 Jun 2009 11:29:52 -0800
> Subject: Re: [aklug] selinux more trouble than it's worth?
>
> > Quoting Lee <lee@afabco.org>:
> > > Well, I've just spent the last two days setting up a centralized
> > > syslog server on bare
> > > metal.using centos5, mysql, php, phplogcon and apache2 All went
> > > well until I actually
> > > started trying to, like, do useful stuff.
> > >
> > > Nothing worked as expected.
> > >
> > > 9 out of 10 issues were selinux related.
> > >
> > > And there are still issues, but at least stuff is working now.
> > >
> > > So it seems to me at this point that selinux is way the hill more
> > > trouble than it's worth.
> > >
> > > But before I deactivate selinux in disgust and consign it to the
> > > 'interesting idea way
> > > more trouble than it's worth in real life' pile, I thought I'd see
> > > if others shared my
> > > thinking, or whether consensus is that selinux is seen as a useful
> > > and practical thing.
> > >
> > > Thanks.
> >
> > As you've discovered, figuring out what it affects and how to mold it
> > to your needs is the hardest part.
> >
> > I'd like to suggest that you turn the setting to 'warn' or 'audit'
> > Can't remember the name it was given....it's not on, but it's not off
> > either.
> >
> > This will give you logging information to let you know that if you
> > have it turned on, then these things will be an issue.
> >
> > Give that a try....you'll get the best of both worlds....being able to
> > get stuff done, and knowing what needs to be modified so that stuff
> > will continue to work when you turn it on for good.
> >
> > Just an idea.
> >
> > Mike B.
> >
> > ----------------------------------------------------------------
> > This message was sent using IMP, the Internet Messaging Program.
>
> ------- End of Original Message -------
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Jun 2 13:53:26 2009