SeLinux - is it worth it?

Kim Hawtin kim at hawtin.net.au
Wed Sep 10 16:15:11 CST 2014


On 10/09/14 09:40, Andrew Galdes wrote:
> I troubleshoot SELinux like this:
>
>  1. Turn SELinux on from the start. It's better to troubleshoot one
>     thing at a time rather than everything at the once at the end.
yep

>  2. If something strange is happening (or not happening), turn SELinux
>     into Permissive mode and see if it still happens. This will tell you
>     if SELinux is involved.

in permissive it generates enourmous logs of cruft you have to trawl 
through. eventually you find the files it "can't" write to or similar and

>  3. If SELinux is involved, change back to Enforcing mode and check logs
>     for both the application experiencing the issue and the SELinux
>     logs. You need a few extra package for the SELinux tools available
>     via YUM (policycoreutils is one that i can remember right now).

rince, lather, repeat; 2,3, for ages and ages until it works or you give 
up because $DEADLINES and turn it off and push it to production...

or move to a vm/chroot/jail/container model instead, with regular backups ;)

cheers,

Kim



More information about the linuxsa mailing list