[PLUG] FC9 Is SELinux Ready Yet?

Ian Burrell ianburrell at gmail.com
Mon Jul 7 23:06:43 UTC 2008


On Sun, Jul 6, 2008 at 3:02 PM, Bill Thoen <bthoen at gisnet.com> wrote:
> I'm working with a database and mapping server I recently set up with
> Fedora Core 9, and it comes with SELinux set to "enforcing" mode by
> default.  The concept sounds pretty good but as I am a relative beginner
> to Linux system administration, I'm finding SELinux hard to understand
> and manage.  My question to those more experienced is, is this ready for
> prime time yet or is it still mostly experimental? Are there any dire
> consequences if I just set it to permissive mode so I won't have to
> spend all this time trying to figure how to write a security policy for
> everything I do it doesn't like?
>

I have found that the more stock the system, the easier SELinux is to
get working.  Third-party applications, especially services or
proprietary ones, that don't know about SELinux are a pain to get
working.  Complicated services, like web servers, where lots of files
need to be correctly labelled are annoying.  Red Hat has put in lots
of effort to improving SELinux so later releases of Fedora or RHEL are
better.

Permissive has two advantages over disabling SELinux completey.  One,
it keeps the audit logs  so you can fix problems.  The setroubleshoot
tools helps make this easier.  Two, it keeps the filesystem labelled
correctly so that you can enable SELinux without relabelling the whole
filesystem.

 - Ian



More information about the PLUG mailing list