LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

I disagree with you.
I have to deal with 3rd party application created by vendors who refuse to support selinux at this time.
To be clear I do not approve of what these vendors are saying I just don't have a choice in the matter. We are paying for support contracts which are void if we run linux in enforcing mode. Most of them I have convinced after long conversations convinced their development and support teams to allow me to run it in permissive mode because in some cases I've convinced them that they will need to support it in enforcing mode eventually and others I've bullied into agreeing to it in writing.

By Having selinux in permissive mode on these nodes I can at least have my monitoring tools alert me of violations even if it doesn't stop them. In cases where there is a security incident while prevention is preferred the next best thing is notification in as near to real time as possible.

-- Sent from my HP Pre3

On Nov 7, 2013 11:00, Stephan Wiesand <[log in to unmask]> wrote:

On 2013-11-07, at 16:28, Paul Robert Marino <[log in to unmask]> wrote:

> There is not any good reason ive heard of not to run selinux in at
> least permissive mode.

There once was a case of selinux in permissive mode opening a serious
security hole. It was a violation of the design, because a normal check
was replaced by the selinux one rather than augmented, and I hope it was
the only one. But it was a real threat to systems running in permissive mode.

And it doesn't help performance.

Permissive mode is great for turning it on briefly to verify that a problem
actually is selinux related at all. But that's all I'd use it for.

> There are plenty of papplications that are not selinux aware yet but
> running it in permisive mode doesnt do them any harm and can assist
> you with writing them if you have auditd running.
> I run selinux in enforcing mode every where I can and in permissive
> mode where I cant.
> further more I requier any edge facing Linux nodes in my environment
> to run it in enforcining mode regardless of the app.
> at one time selinux was a daunting thing butnow there have been a
> large number of tools written for it which are fairly easy to learn
> once you spend a few hours playing with them.

--
Stephan Wiesand
DESY - DV -
Platanenallee 6
15738 Zeuthen, Germany