How best get rid of SELinux?
Beartooth
Beartooth at swva.net
Fri Sep 21 15:18:55 UTC 2007
On Fri, 21 Sep 2007 06:47:12 +0100, Andy Green wrote:
> Just to be clear, that is what "permissive" does... it lets you know
> what selinux wouldn't've let through, but lets it through anyway. So
> these error messages represent a passive opinion from selinux about what
> it didn't like (but did nothing to prevent). So selinux is only to
> blame for filling your logs, not any other badness while in permissive.
In other words, what it tells me in these messages is false?? And
the distractions it creates to draw attention to itself could be proxied
out, if I knew how??
The messages in the display when I click on that big yellow star
are all of the form "SELinux *has* blocked ..." or "... *has* denied ...
" or the like -- indicative mood.
> IMO it is better to make selinux happy, if possible without causing a
> heart attack, than to disable it.
Such has indeed been my practice heretofore -- and I'm getting
heartily sick of it.
> Why not start with
>
> # touch /.autorelabel
>
> and a reboot. This will make sure your files have the right selinux
> label, the cause of many problems.
Like Gene, I have done that, over and over; I haven't counted,
but it must be at *least* half a dozen times per machine.
It is usually anything but convenient to shut all the apps on all
the workspaces down, just because some nanny I don't need has yet another
hissy fit. And when I do do it, it takes forever and a month to reboot.
It may well be that NSA and those of you with big production
sites to administer do need all this. You certainly (and I hope to God
NSA, too, despite being a gummint bureaucracy) understand it far better.
To start with, surely, you can tell by looking what is serious
and what isn't -- i.e., what you can safely ignore till you get around to
it, if ever.
My half dozen little machines, all behind at least one router,
physically inaccessible to anyone but my wife and me, running every
*other* defense I can find and manage, and with nothing in the way of
wealth, power, or prominence to attract evildoers, ought to be a somewhat
different kettle of fish.
No doubt the crackers out there have bots sniffing at every
machine they can find in existence. But, unless I've completely
misunderstood everything I've read on news.grc.com over the years, if
such a bot suggests my little operation to its obnoxious owner, s/he will
realize at first glance that nothing here is worth the trouble it would
take to conquer, with or without SELinux even installed.
Suggestion : persuade the SELinux developers, if you can, to go
take lessons from the ZoneAlarm people, paying heavily enough to get
eager co-operation. ZA is by no means perfect -- it too can be obscure --
but on any scale of user-friendliness, it's orders of magnitude (plural!)
ahead of the SELinux messages.
--
Beartooth Staffwright, PhD, Neo-Redneck Linux Convert
Remember I know precious little of what I am talking about.
More information about the users
mailing list