LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2007

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2007

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Does SELinux really worth it?
From:	Stephen John Smoogen <[log in to unmask]>
Reply To:	Stephen John Smoogen <[log in to unmask]>
Date:	Tue, 24 Jul 2007 12:59:07 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (48 lines)

On 7/23/07, Zhi-Wei Lu <[log in to unmask]> wrote:
> Hi,
>
> Being security conscious or scared, I have been trying to enable
> SELinux on most of my SL4/SL5 systems.  However, almost every time,
> something suppose to work, but it doesn't, can be attributed to the
> SELinux problem. Here are a few example,
>
> lvm display commands fail to give any information if you rlogin
> (kerberos) into the system.
> Kerberos rlogin (eklogin) fails because of mislabel of the /var/tmp/
> host_0
> ...
>
> Many times, one does not think that it is an SELinux related issue
> and waste a lot of energy trying to debug the problem. I am just
> wondering how people are coping with SELinux: love it, hate it,
> disable it, disable some transactions.  I would really like to hear
> the words of wisdom on this topic.
>

While I have dealt with a couple of mislabels and such during the 4.0,
I have found that most of the time it has stopped something from going
on that wasnt thought about. One system had a lot of problems because
/etc/services was mislabeled. Why was it mislabeled? Because someone
had installed some software that overlayed /etc/services with its own
file. Did we know about it? No, not until services broke.

We have had a couple of webservices not working, why? because the
cgi-bin binary only worked with it being setuid root. Turning off
selinux ended up with our /etc/passwd file corrupted because it
somehow decided it needed to edit it.

In a lot of cases, apparmour/selinux will stop things from working...
and in a lot of those its because of poor sysadmin behaviour that
would have caught up with you later, broken apps that are doing
something that you are not aware of, or similar issues. One thing I
have found was that my servers that do not have selinux enabled on
them due to *cough*oracle*cough* are a lot less stable than the ones
that I have it on. I end up tearing my hair out at times.. but its
usually figuring out why some software does something that no-one
would believe software would need to do.

-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV