On 2013-11-07, at 16:28, Paul Robert Marino <[log in to unmask]> wrote: > There is not any good reason ive heard of not to run selinux in at > least permissive mode. There once was a case of selinux in permissive mode opening a serious security hole. It was a violation of the design, because a normal check was replaced by the selinux one rather than augmented, and I hope it was the only one. But it was a real threat to systems running in permissive mode. And it doesn't help performance. Permissive mode is great for turning it on briefly to verify that a problem actually is selinux related at all. But that's all I'd use it for. > There are plenty of papplications that are not selinux aware yet but > running it in permisive mode doesnt do them any harm and can assist > you with writing them if you have auditd running. > I run selinux in enforcing mode every where I can and in permissive > mode where I cant. > further more I requier any edge facing Linux nodes in my environment > to run it in enforcining mode regardless of the app. > at one time selinux was a daunting thing butnow there have been a > large number of tools written for it which are fairly easy to learn > once you spend a few hours playing with them. -- Stephan Wiesand DESY - DV - Platanenallee 6 15738 Zeuthen, Germany