On 02/06/2014 02:22 PM, S. Dale Morrey wrote: > Ok I understand what you are saying. > My point is that SELinux gets in the way of what I would consider good > security practices. > > Think about it this way. > If you configure SELinux to be permissive, then there is effectively no > difference between that and not having it run at all.
No, but in theory this helps you what permissions your process has to have to run. You're not the only one that struggles with SElinux. It's a powerful concept but the use of it is very hard. Just today I was battling selinux and lost on my recently installed Fedora desktop. With the nvidia drivers, X just won't load at all with selinux on enforcing *or* permissive! It's the weirdest thing. Disable selinux completely and it runs fine. I straced X, and it just hangs on a futex. I can't get any useful information out of it. Also in permssive mode, my logs are full of warnings of violations from processes that are completely stock. In other words, it should work just fine, since Fedora ships with selinux enabled and enforcing, and things presumably work. But I have problems. I have relabeled the entire file system several times. Still no go. so I've given up for now. However my next job is to redo my VPS's, and I will be employing selinux for sure. Not doing it until now is a disaster waiting to happen. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
