[sllug-members]: Fedora Core 5 help wanted
Lamont R. Peterson
lamont at gurulabs.com
Wed Sep 27 23:21:14 MDT 2006
On Wednesday 27 September 2006 08:54am, Stuart Jansen wrote:
> On Wed, 2006-09-27 at 08:28 -0600, Andrew GIlmore wrote:
> > Of course, this "perfect setup" disables SELinux, which is not the
> > method I would pick to come up with a secure server for a paranoid
> > user. :(
>
> Anyone who would dare title anything a "perfect setup" is obviously
> going to be sloppy about details.
>
> There is no reason a person should ever spend "a week of
> trouble-shooting because some service wasn't working as expected, and
> then you find out that everything was ok, only SELinux was causing the
> problem".
>
> Anyone who has bothered to spend an hour learning about SELinux should
> know about the setenforce command. Anyone with experience
> troubleshooting should be able to come up with a process similar to
> this:
>
> 1) Test service, notice problem.
> 2) Check logs. (In most cases, avc denied messages in /var/log/messages
> will make it clear that SELinux is causing a problem. Occasionally
> stupid policy rules hide the errors.)
> 3) setenforce 0
> 4) Test service, notice problem goes away.
> 5) setenforce 1
> 6) Test service, notice problem returns.
> 7) Depending on level of experience with SELinux, evaluate options.
You forgot "fix the labels on files", which is the cause of more than 99% of
the SELinux blamed problems that I see.
> a) Disable SELinux - only as a last resort
> b) Modify a policy boolean - the more correct choice
> c) Modify the policy - currently too difficult for most
>
> There is no reason this process shouldn't happen within the first 15
> minutes of trouble shooting, preferably sooner.
>
> One of the big changes with FC6 will be better SELinux tools. Soon, even
> creating custom policy will be something a normal admin will be capable
> of.
--
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
NOTE: All messages from this email address should be digitally signed with my
0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as
well as other keyservers that sync with MIT's.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://sllug.org/pipermail/sllug-members/attachments/20060927/dc957714/attachment.pgp
More information about the sllug-members
mailing list