Feedback on Fedora Core 4 test 2 review
Karsten Wade
kwade at redhat.com
Wed Apr 27 21:45:12 UTC 2005
On Wed, 2005-04-27 at 16:18 -0400, Erik Hemdal wrote:
>
> > SELinux update - Significant number of additional deamons
> > will protected by SELinux in Fedora Core 4
>
> Lukewarm. Some of my students have had significant problems with SELinux,
> and the advice they have received is generally along the lines of "Oh yeah,
> it doesn't work right on Fedora, so just turn it off."
Ouch!
Since you have students involved, I'll risk the off-topic reply. :)
As with any new security paradigm, existing applications are likely to
have a few stumbling spots.
The targeted policy for Fedora Core 4 works _extremely_ well. The
updates for FC4 resolve many of the problems people had in FC3. The
policy patching community has increased a lot since inclusion in Fedora
Core.
Usually a person is having a single problem with SELinux, such as a
legacy CGI application getting AVC errors.
The solution, aside from writing a few pieces of policy to fix it[1], is
to disable SELinux for the daemon, i.e., Apache.[2]
Unfortunately, too many people are told to entirely disable SELinux.
This reminds me of people being told to turn off ipchains or iptables if
they couldn't get a working firewall rule for their application.
I don't think SELinux is going away anytime soon, so we might as well
get familiar with it.
cheers - Karsten
[1] To quote myself on writing small policy pieces:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/selg-section-0120.html
[2] Changing a Boolean setting to disable protection for a daemon:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/rhlcommon-section-0068.html#RHLCOMMON-SECTION-0077
--
Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
Red Hat SELinux Guide
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/marketing/attachments/20050427/34f99777/attachment.bin
More information about the marketing
mailing list