No flame war. Strong security is a corporate policy. I don't feel that I have the option of disabling security. It is just another component of the Linux system to feed and take care of. The learning curve is not steep once you recover from the initial shock of it being there. The resource that I cited earlier resolved my SELinux problems for packages not part of the RHEL distribution. Red Hat ships a large number of SELinux policies as demonstrated by the "semodule -l" command.
-----Original Message----- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Rick Troth Sent: Wednesday, October 02, 2013 12:28 PM To: LINUX-390@VM.MARIST.EDU Subject: EXTERNAL: Re: Disabling SELinux On 10/02/2013 01:00 PM, Hodge, Robert L wrote: > Do you really want to handicap the security on your Linux server by disabling > SELinux? I use the audit2allow command as outlined at > http://www.linuxforums.org/articles/accomodating-avc-denied-messages-selinux_355.html > to create and load needed local policies for SELinux. It is an iterative > process until all the SELinux denials are found. I've done this successfully > on RHEL 6.3 and RHEL 6.4. I almost appended my reply to John with "now ... before the flame wars start ...". It's a sensitive topic. Those who like SELinux really really believe in it. Others consider it a government blessing akin to SOX. Reigning in my own feelings and trying to be objective, SELinux is a powerful and sophisticated tool. But it is just a tool, and only one of several. And it carries a substantial run-time cost. Quoting from a different thread, "... the overhead is horrendous. It causes a RACF security call on each and every DSN.". What RACF does in that context, SELinux does here. Depending on your risks and exposure, the performance hit may be justified. In addition to the operational overhead is the staff overhead (starting with a learning curve, but ongoing). Again, might be justified, but should be indicated. Not all Linux distributors include support for SELinux. -- R; <>< ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
