It is maybe a bit difficult to get started, but it is doable on a server as well. I am beginning a transition from Solaris 10 to RHEL6 for our main server and have found that it just takes dealing with each new issue once. Your best friend is the sealert -a command applied to the audit log. I have (so far) only had to make one local SELinux policy and had to make use of chcon in a few other situations.
Admittedly, this is much easier because I am able to start from scratch with a system that will not be deployed until I am happy with it. But, I think that having SELinux running will be a considerable asset. Andy On Fri, 2010-12-03 at 08:16 -0600, [email protected] wrote: > i'm not saying I've succeeded in convincing people to let me run SELinux in > enforcing anywhere, but think about the argument you just made: > > "I've got it [SELinux] enabled on my desktop and laptops", which while > useful, aren't as ready of targets for hackers (we are talking Linux not > Windows).. Desk/laptop environments are also more broad and varied in > software that is run and the potential that you will run into SELinux > issues (such as jch's dropbox issue). > > "on my servers though...[i have it disabled]..." However most servers are > ready targets, with ports open and attractive to someone trying to break > in. Servers tend to have a stable software configuration and use cases, > leading to SELinux being easier to maintain in the long run since behavior > patterns aren't as likely to change constantly. Yes, easier by comparison, > and not saying its "easy". > > -greg > > [email protected] wrote on 12/03/2010 06:34:52 AM: > > > > > Right. I've got it enabled on my desktop and laptops. On servers > though... > > > > Sent from my iPhone > > > > On Dec 3, 2010, at 5:08 AM, "John Haxby" <[email protected]< > > mailto:[email protected]>> wrote: > > > > > > > > On 3 December 2010 00:59, Marti, Robert <<mailto:[email protected] > > >[email protected]<mailto:[email protected]>> wrote: > > SELinux scares people, to put it simply. Instead of fixing thinks to > > work with it, it gets disabled so no one has to deal with it. I'd > > rather fix it, but the normal complaint is lack of time to do it > > right. I normally set it to permissive mode and make a note to come > > back and address the issues later. So far later hasn't come. > > > > > > This is an argument I have sympathy with. > > > > However, just short of three years ago I decided enough was enough > > and I was going to get to grips with this thing on my laptop. So I > > left selinux enabled.when I installed whatever was the current > > Fedora at the time. > > > > As I recall, the only problem I had was with the web server I was > > running(*) Fixing that was a matter of ten minutes between me and > > google. Since that time I've picked up other selinux stuff > > incrementally — I'm far from being an expert but I'm not afraid of > > selinux any more and I can make use of it after a fashion. (Fedora > > 14 has a problem with some 32 bit apps and selinux but I can live > > without dropbox for the moment.) > > > > jch > > > > > > * yes, on a laptop: you have problem with that? :-) _______________________________________________ rhelv6-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv6-list
