Re: SELinux?

I agree that selinux is a step in the right direction, since it starts to
get past that "root owns everything" paradigm, but I would be much more
comfortable with it if I could *easily* view, create, and adjust
policies/context. As it stands now, selinux is a patch, not a fix. For
example, on reboot my mysql server doesn't start, but selinux isn't
mentioned as a culprit during boot. As a result I spend time
investigating *other* problems, then finally disable selinux to see if it
works. Voila! So, now I can restorecon on mysql, reenable selinux and
all is well - Except that I had to GUESS at the cause.

Selinux (and it's current state of integration with RedHat) isn't quite
there yet.

Cheers,
Arpotu.


On Wed, October 31, 2007 9:58 pm, mark wrote:
Bill Hillier wrote:
NFlorez@xxxxxxxxx wrote:
How do I disable and enable Selinux?

setenforce command ....

setenforce 0
setenforce 1

And reboot. And forget about it. It's a honkin' pain in the neck, unless
you're
running a completely canned system, and the users are only allowed to do
what
you've allowed them to do. May be fine for, oh, the Pentagon or the CIA,
but in
the real world, it's security through making it next to impossible to
*do*
anything.

Is it a pain sometimes? You betcha. I think it's worth it, though. I have,
on occasion been stopped temporarily from doing what I wanted to do, but
now that I understand how better how it works, I have no problems with it.
If someone *does* manage to crack in and take over, let's say apache, I'll
be very glad I didn't 'setenforce 0'.

Just my $0.02 worth.

Bill



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Relevant Pages

  • Re: Permission denied during rpm installation
    ... > Once before I have seen a file that root couldn't delete. ... if it is selinux, you can try the command 'setenforce 0' to temporarily ... Ed Kim, RHCE ... I tried "setenforce 0" and run the rpm, ...
    (Fedora)
  • Re: mplayerplug-in problem [solved - sort of - its Selinux on FC5]
    ... try "setenforce 1" and see if things still ... include the result of this test in your SELinux ... bug report. ... Do I need to undo anything that your command ...
    (Fedora)
  • Re: mplayerplug-in problem [solved - sort of - its Selinux on FC5]
    ... On Mon April 24 2006 11:52, Paul Howarth wrote: ... try "setenforce 1" and see if things still ... include the result of this test in your SELinux ... I was just trying to file a bug report for Fedora, ...
    (Fedora)
  • Re: Permission denied during rpm installation
    ... Once before I have seen a file that root couldn't delete. ... The other thought that comes to mind is SELinux, ... disable it and rerun the rpm command. ... I tried "setenforce 0" and run the rpm, ...
    (Fedora)
  • Re: How best (BUT WHY) get rid of SELinux?
    ... a machine with SELinux set to enforcing; ... And, for the record, I have read every last one of the posts at ... any other naive user, I thought, than it could possibly be worth *to* ... I (or any other naive user) could only make things worse ...
    (Fedora)