[sllug-members]: Fedora Core 5 help wanted
Stuart Jansen
sjansen at buscaluz.org
Wed Sep 27 08:54:39 MDT 2006
On Wed, 2006-09-27 at 08:28 -0600, Andrew GIlmore wrote:
> Of course, this "perfect setup" disables SELinux, which is not the
> method I would pick to come up with a secure server for a paranoid
> user. :(
Anyone who would dare title anything a "perfect setup" is obviously
going to be sloppy about details.
There is no reason a person should ever spend "a week of
trouble-shooting because some service wasn't working as expected, and
then you find out that everything was ok, only SELinux was causing the
problem".
Anyone who has bothered to spend an hour learning about SELinux should
know about the setenforce command. Anyone with experience
troubleshooting should be able to come up with a process similar to
this:
1) Test service, notice problem.
2) Check logs. (In most cases, avc denied messages in /var/log/messages
will make it clear that SELinux is causing a problem. Occasionally
stupid policy rules hide the errors.)
3) setenforce 0
4) Test service, notice problem goes away.
5) setenforce 1
6) Test service, notice problem returns.
7) Depending on level of experience with SELinux, evaluate options.
a) Disable SELinux - only as a last resort
b) Modify a policy boolean - the more correct choice
c) Modify the policy - currently too difficult for most
There is no reason this process shouldn't happen within the first 15
minutes of trouble shooting, preferably sooner.
One of the big changes with FC6 will be better SELinux tools. Soon, even
creating custom policy will be something a normal admin will be capable
of.
--
Stuart Jansen e-mail/jabber: sjansen at buscaluz.org
google talk: stuart.jansen at gmail.com
"However beautiful the strategy, you should occasionally look at
the results." -- Winston Churchill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://sllug.org/pipermail/sllug-members/attachments/20060927/baffb43f/attachment.pgp
More information about the sllug-members
mailing list