On 2013-11-07, at 16:28, Paul Robert Marino <[log in to unmask]> wrote:

> There is not any good reason ive heard of not to run selinux in at
> least permissive mode.

There once was a case of selinux in permissive mode opening a serious
security hole. It was a violation of the design, because a normal check
was replaced by the selinux one rather than augmented, and I hope it was
the only one. But it was a real threat to systems running in permissive mode.

And it doesn't help performance.

Permissive mode is great for turning it on briefly to verify that a problem
actually is selinux related at all. But that's all I'd use it for.

> There are plenty of papplications that are not selinux aware yet but
> running it in permisive mode doesnt do them any harm and can assist
> you with writing them if you have auditd running.
> I run selinux in enforcing mode every where I can and in permissive
> mode where I cant.
> further more I requier any edge facing Linux nodes in my environment
> to run it in enforcining mode regardless of the app.
> at one time selinux was a daunting thing butnow there have been a
> large number of tools written for it which are fairly easy to learn
> once you spend a few hours playing with them.

-- 
Stephan Wiesand
DESY - DV -
Platanenallee 6
15738 Zeuthen, Germany