selinux is a pain

[birger]

Sitat Martín Marqués <martin.marques at gmail.com>:

> I reinstalled (better hardware) a server and had selinux enabled (was
> disabled before), and I starting to see why so many people don't use
> selinux.
> 
> My question is, how many people are using selinux?
> 
> I, for instance, am about to disable it.

It depends a bit. It usually bites if you try to combine web services and
other services that need to share a directory.

For my home systems, I always keep it on. I have to learn to live with it,
as it definitely hardens the operating system. Why not force myself to learn
it. I almost never have to touch it. Sometimes I step around selinux
problems in messy ways (use a big enough hammer)

For servers on protected internal networks at work, I leave it on except on
servers where it tends to create problems and other people than me need to
understand what is going on. On servers where I turn it off, I often keep it
in permissive mode so I can read the logs if I need to.

For servers in DMZ zones I keep it on, and I try to find clean and correct
solutions to any problems instead of the sledgehammer approach at home. :-)


-- 
birger