On Dec 3, 2015, at 16:05 20, Lamar Owen <lo...@pari.edu> wrote: > Woah there, Cowboy.... all SElinux denials are recorded as avc denials in > /var/log/audit/audit.log by default. It will be increasingly difficult to > run without SELinux, at least on CentOS.
On the contrary — it’s easy! Disabling it simply removes a layer of security. Whether it’s *prudent* to do so is an entirely different discussion however. Security is really no different than any other aspect of IT operations. One has to balance the risks vs the costs of any given strategy in the context of the overall environment. For most (not all!) radio automation environments, SELinux is probably overkill as such systems are typically operated in isolated LAN environments. OTOH, for things like public web servers, there is a *lot* to be said for it. > Learning to use SELinux with the booleans and knobs that Red Hat has provided > isn't that hard, and it is a great extra layer of security on critical > systems. I have seen attempted attacks that were thwarted with SELinux (and > one was on a system that was not internet-connected; there just happened to > be a virus-infected Windows machine on the same LAN). But, that's just my > opinion..... but, well, I do Linux servers as part of what I do for a living. It’s not, but it does require a new way of thinking about things. If you know about the audit tools (and have internalized that knowledge) then it’s not particularly difficult, but for those who are new to the concept (which probably describes the bulk of UNIX sysadmins today) it’s liable to be an extremely frustrating experience when things just “inexplicably” fail to work. Hence, I find the typical knee-jerk reaction of “just turn the damn thing off” to be quite understandable. This will change over time as operators become more familiar with the concepts. Cheers! |----------------------------------------------------------------------| | Frederick F. Gleason, Jr. | Chief Developer | | | Paravel Systems | |----------------------------------------------------------------------| | A room without books is like a body without a soul. | | -- Cicero | |----------------------------------------------------------------------| _______________________________________________ Rivendell-dev mailing list Rivendell-dev@lists.rivendellaudio.org http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
