[PLUG] FC9 Is SELinux Ready Yet?

[Alan]

On Sun, 2008-07-06 at 16:02 -0600, Bill Thoen wrote:
> I'm working with a database and mapping server I recently set up with 
> Fedora Core 9, and it comes with SELinux set to "enforcing" mode by 
> default.  The concept sounds pretty good but as I am a relative beginner 
> to Linux system administration, I'm finding SELinux hard to understand 
> and manage.  My question to those more experienced is, is this ready for 
> prime time yet or is it still mostly experimental? Are there any dire 
> consequences if I just set it to permissive mode so I won't have to 
> spend all this time trying to figure how to write a security policy for 
> everything I do it doesn't like?

Well, that depends on what you are doing.  For database use, it should
be fine.  There are tools that will show you what errors have occured
and where and give you an idea on how to resolve them.

Web servers are harder.  CGI code tends to do many complex things that
are hard to constrain.

Another pain is handling usb devices and other devices that can be
connected and disconnected.  Most work OK, but once in a while thay are
a pain.

There are some good books on SELinux.  The O'Reiely book was pretty
good.  If you are going to maintain a Redhat/Fedora system, you will
want to learn how it works.