On Wed, Feb 23, 2011 at 08:09:41AM -0800, Terry Trapp wrote: > I have recently been brought back from the Dark Sideā¢ to administer > some Linux boxen. Something that has changed in my absence is that > SELinux is now enabled by default and appears to have a fairly > prohibitive default policy. (On CentOS) I would like to draw on the > group's experience and know your thoughts, opinions and philosophy of > how best to deal with it.
CentOS, like RHEL, has shipped with selinux enabled, using the targetted policy, for years. This is a Good Thing (tm). The best way to deal with it is to set aside some quality time and read the following resources: http://wiki.centos.org/HowTos/SELinux http://wiki.centos.org/TipsAndTricks/SelinuxBooleans http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/ http://fedorasolved.org/security-solutions/selinux-module-building http://centoshelp.org/security/selinux-common-commands-troubleshooting (these are from my help triggers on the #centos channel on freenode) > My initial thought is to leave it enabled and adjust the policy as > needed for a given service. The issue I have ran into is that I have > not found a comprehensive CLI tool to administer the policy. Outright > disabling it has been the best answer in a couple of cases. That is an *excellent* initial thought; and much refreshing from the normal nonsense we see daily on IRC. The best way to manage things are with the tools provided which the above listed resources go over. setroubleshootd is a nice tool in that it will notify you via email of details of selinux policy violations and the needed steps to take in order to correct each violation it seems. Consider running your server(s) in Permissive rather than Enforcing mode in the beginning; put the boxes through their paces as far as processes and work-flows go; addressing each policy violation as it occurs and when done put it back into Enforcing mode. "man setenforce" for details. Permissive mode triggers violation notifications but as warnings only; the underlying activity will still be permitted to complete; it's ideal for fine tuning policies. > Also, does anyone know of a good book that can give an overview of the > current implementation of SELinux? I would, personally, start with the resources listed above. They should really go over everything you need. John -- "Political Correctness is a doctrine, fostered by a delusional,illogical, liberal minority and rabidly promoted by an unscrupulous mainstream media,which holds forth the proposition that it is entirely possible to pick up a turd by the clean end." -- Unknown
pgp8k0Ur6nyl0.pgp
Description: PGP signature