SCIENTIFIC-LINUX-DEVEL Archives

November 2013

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Security ERRATA Low: selinux-policy enhancement update on SL6.x i386/x86_64
From:
Stephan Wiesand <[log in to unmask]>
Reply To:
Stephan Wiesand <[log in to unmask]>
Date:
Thu, 7 Nov 2013 16:58:57 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (32 lines) 
On 2013-11-07, at 16:28, Paul Robert Marino <[log in to unmask]> wrote:

> There is not any good reason ive heard of not to run selinux in at
> least permissive mode.

There once was a case of selinux in permissive mode opening a serious
security hole. It was a violation of the design, because a normal check
was replaced by the selinux one rather than augmented, and I hope it was
the only one. But it was a real threat to systems running in permissive mode.

And it doesn't help performance.

Permissive mode is great for turning it on briefly to verify that a problem
actually is selinux related at all. But that's all I'd use it for.

> There are plenty of papplications that are not selinux aware yet but
> running it in permisive mode doesnt do them any harm and can assist
> you with writing them if you have auditd running.
> I run selinux in enforcing mode every where I can and in permissive
> mode where I cant.
> further more I requier any edge facing Linux nodes in my environment
> to run it in enforcining mode regardless of the app.
> at one time selinux was a daunting thing butnow there have been a
> large number of tools written for it which are fairly easy to learn
> once you spend a few hours playing with them.

-- 
Stephan Wiesand
DESY - DV -
Platanenallee 6
15738 Zeuthen, Germany

ATOM RSS1 RSS2