On Wed, 2005-04-27 at 16:18 -0400, Erik Hemdal wrote:
> SELinux update - Significant number of additional deamons
> will protected by SELinux in Fedora Core 4
Lukewarm. Some of my students have had significant problems with SELinux,
and the advice they have received is generally along the lines of "Oh yeah,
it doesn't work right on Fedora, so just turn it off."
Ouch!
Since you have students involved, I'll risk the off-topic reply. :)
As with any new security paradigm, existing applications are likely to
have a few stumbling spots.
The targeted policy for Fedora Core 4 works _extremely_ well. The
updates for FC4 resolve many of the problems people had in FC3. The
policy patching community has increased a lot since inclusion in Fedora
Core.
Usually a person is having a single problem with SELinux, such as a
legacy CGI application getting AVC errors.
The solution, aside from writing a few pieces of policy to fix it[1], is
to disable SELinux for the daemon, i.e., Apache.[2]
Unfortunately, too many people are told to entirely disable SELinux.
This reminds me of people being told to turn off ipchains or iptables if
they couldn't get a working firewall rule for their application.
I don't think SELinux is going away anytime soon, so we might as well
get familiar with it.
cheers - Karsten
[1] To quote myself on writing small policy pieces:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide...
[2] Changing a Boolean setting to disable protection for a daemon:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide...
--
Karsten Wade, RHCE * Sr. Tech Writer *
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
Red Hat SELinux Guide
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/