On Thursday, March 23, 2017 11:53:07 AM CDT Kent Perrier wrote: > https://stopdisablingselinux.com/ :D > > I can only speak to RHEL, but selinux had gotten a lot easier to set up > with RHEL/CentOS 7. Something gets stepped on by SELinux? Look at > /var/log/messages. It pretty much gives you the command to run to allow it > to work. > > On Thu, Mar 23, 2017 at 11:39 AM, andrew mcelroy <sophri...@gmail.com> > > wrote: > > So to further expand this conversation: > > https://www.cnet.com/news/novell-lays-off-apparmor-programmers/ > > http://wiki.apparmor.net/index.php/Gittutorial > > > > https://security.stackexchange.com/questions/29378/comparison-between-> > > > apparmor-and-selinux > > > > grsecurity seems to have fallen out of visibility. > > > > On Thu, Mar 23, 2017 at 9:23 AM, Howard White <hwh...@vcch.com> wrote: > >> A worthy discussion, indeed. > >> > >> I get [ bemused | frustrated ] by the "happy talk how-tos in which the > >> first instruction is kill off SELinux. Is SELinux a pain? Yes. Can it > >> be > >> made to work? Yes. Is it effective? I have NO idea... > >> > >> Howard > >> > >> On 03/23/2017 11:11 AM, andrew mcelroy wrote: > >>> Greetings NLUG, > >>> > >>> A recent debate that I am currently having is revolving around using SE > >>> Linux in an hardened environment. If anyone on this list deals with > >>> Government/Military/ Security Critical systems, I have a question. > >>> > >>> How wide spread is SELinux or has AppArmor won the day? > >>> What are your current best practice guides/resources for hardening a > >>> Linux server. > >>> > >>> Thanks. > >>> > >>> Respectfully, > >>> Andrew McElroy
May be late in the game, but if you run RHV (RedHat Virtualization, or RHEV 3) SELinux is needed to protect one Guest from the other apparently. We're running in on Power8 boxes, and Intel. Also, on boxes that sit in a DMZ, or are internet facing, we enable SELinux. It appears to work, and its not THAT hard, you just have to be aware of it. AppArmor is what appears to be running on Linux Mint, what few of those I have running, but that's about it. anyone with a default install of Fedora will have SELinux running, I believe. I usually disable it out of the gate, so I'm hoping that's right. -- See Ya' Howard Coles Jr. John 3:16 -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to nlug-talk@googlegroups.com To unsubscribe from this group, send email to nlug-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to nlug-talk+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
