On 13. nov. 2013 20:26, John Musbach wrote: > Maybe it's just me, but it seems like a serious failing of SELinux's > efforts when most people I've encountered in the Linux world have the > policy of just disabling SELinux in their images. Not sure if this was intended as a fire torch or not, or I'm just being a bit sensitive. But I can turn it around: IPv6 has been available for over a decade (if not longer). Is it a failure of IPv6 that so few enables IPv6 in their networked environments?. Of course not. It's about convenience and resistance of changing your attitude to new technologies. But eventually you're forced to take the step. And it's been a similar situation with iptables (and firewalling in Windows, for that matter). People were mostly ignorant to the concept of firewalling, until they realised they had to implement it to have a more secure environment. Is iptables (or firewalling) considered a failure today? During EL6 installation, there is no way you can disable SELinux. It needs to be done explicitly afterwards. This is because SELinux is considered to work so well most users really don't need to think about it. Seriously. SELinux has also been available since EL4 and Fedora Core 3. SELinux is celebrating 10 years these days. It's not something brand new, but it is beginning to really gain traction. These days even SEAndroid is on the way (that is SELinux for Android). SELinux has developed a lot, and is far more easily available and usable today than it was 10 years ago. Please don't be afraid of it! To all of you SELinux sceptic, I have only this to say: If you first grasp the concept of labelling, SELinux isn't much more difficult than what iptables used to be in the beginning. And that article from Dan Walsh gives a very easy to understand introduction to SELinux. And seriously, unless you really have a really odd setup, SELinux will in not give you any troubles in EL6. I have set up roughly 20 different SL6.x servers the last years. I can't remember having had any real issues related to SELinux. This has been everything from LDAP servers, web servers (apache and nginx), e-mail servers (both postfix+amavis+spamassasin and Zimbra), database servers (both PostgreSQL and MySQL). I honestly can't remember having had much troubles with SELinux at all. If SELinux did kick in, it was usually just to flip some SELinux booleans (semanage boolean --list), modifying some network ports context (semanage port --list) or adding some extra paths for correct file labelling (semanage fcontext --list). Changing those things are really not more difficult than adding additional iptables rules. And to figure out if it is SELinux to blame: grep denied /var/log/audit/audit.log Really, stop disabling it! Try it for real and embrace SELinux now! kind regards, David Sommerseth > On Nov 13, 2013, at 2:17 PM, David Sommerseth <[log in to unmask]> wrote: > >> Hi all, >> >> As there has been a couple of SELinux discussions lately, I thought this >> article could help explain better what SELinux is all about and why it's >> such a great tool. >> >> It's written by one of the core SELinux guys in Red Hat, Daniel Walsh >> and illustrations by one of Fedora's UX designers, Máirín Duffy. >> >> "Your visual how-to guide for SELinux policy enforcement" >> <http://opensource.com/business/13/11/selinux-policy-guide> >> >> Hope you'll enjoy the reading :) >> >> >> -- >> kind regards, >> >> David Sommerseth >>