On Wed, Feb 23, 2011 at 08:09:41AM -0800, Terry Trapp wrote: > I have recently been brought back from the Dark Sideā¢ to administer > some Linux boxen. Something that has changed in my absence is that > SELinux is now enabled by default and appears to have a fairly > prohibitive default policy. (On CentOS) I would like to draw on the > group's experience and know your thoughts, opinions and philosophy of > how best to deal with it.
CentOS, like RHEL, has shipped with selinux enabled, using the
targetted policy, for years. This is a Good Thing (tm).
The best way to deal with it is to set aside some quality time
and read the following resources:
http://wiki.centos.org/HowTos/SELinux
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/
http://fedorasolved.org/security-solutions/selinux-module-building
http://centoshelp.org/security/selinux-common-commands-troubleshooting
(these are from my help triggers on the #centos channel on
freenode)
> My initial thought is to leave it enabled and adjust the policy as
> needed for a given service. The issue I have ran into is that I have
> not found a comprehensive CLI tool to administer the policy. Outright
> disabling it has been the best answer in a couple of cases.
That is an *excellent* initial thought; and much refreshing from
the normal nonsense we see daily on IRC. The best way to manage
things are with the tools provided which the above listed
resources go over.
setroubleshootd is a nice tool in that it will notify you via
email of details of selinux policy violations and the needed
steps to take in order to correct each violation it seems.
Consider running your server(s) in Permissive rather than
Enforcing mode in the beginning; put the boxes through their
paces as far as processes and work-flows go; addressing each
policy violation as it occurs and when done put it back into
Enforcing mode. "man setenforce" for details. Permissive mode
triggers violation notifications but as warnings only; the
underlying activity will still be permitted to complete; it's
ideal for fine tuning policies.
> Also, does anyone know of a good book that can give an overview of the
> current implementation of SELinux?
I would, personally, start with the resources listed above.
They should really go over everything you need.
John
--
"Political Correctness is a doctrine, fostered by a delusional,illogical,
liberal minority and rabidly promoted by an unscrupulous mainstream media,which
holds forth the proposition that it is entirely possible to pick up a turd by
the clean end."
-- Unknown
pgp8k0Ur6nyl0.pgp
Description: PGP signature
