[TriLUG] Thoughts on SELinux - PIA or a good thing?
David Brain
dbrain at gmail.com
Sat Mar 20 10:01:21 EDT 2010
Hi,
Generally speaking we keep SELinux enabled (Centos 5.3) on our public
facing servers as I think it does provide that 2nd level of defense
against say a 0day in Apache httpd, without getting in the way of day
to day operations too much. That being said if something isn't
working it does add that extra step of 'try it with SELinux off' to
troubleshooting, and I have had to create some custom policies to
handle some of our less standard bits of configuration - which isn't
actually all that hard to do.
David.
On Tue, Mar 16, 2010 at 9:25 PM, Ron Kelley <rkelleyrtp at gmail.com> wrote:
> Generally speaking, what do most people think about SELinux? A colleague is reviewing some security auditing procedures that highly recommend using SELinux (he is running on CentOS 5.4 servers). If they enable SElinux, they will have to do an entire regression test phase due to the potential effects of SELinux on their application (Ruby on Rails front-ended by Nginx.
>
>
> Normally, I disable SELinux and IPTables on my servers because they are all behind firewalls (and I only open the necessary ports).
>
>
> What do you guys think?
>
> -Ron
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
More information about the TriLUG
mailing list