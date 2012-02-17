from the easier-troubleshooting dept.
Has SELinux got you down by blocking your apps or causing general havoc? Instead of disabling it, discover how to use the SELinux Alert Browser to solve those problems.
If you're using a Linux distribution that takes advantage of SELinux, such as CentOS, Red Hat, Fedora, or SUSE, you know it can be a blessing and a curse. While SELinux is an incredibly powerful tool that goes a very long way to keep your Linux-powered machines secure, it can be a nightmare to configure. Fortunately, there is a tool called SELinux Alert Browser that can ease those troubles.
With SELinux Alert Browser, you can get quick solutions when SELinux is causing you issues. In fact, you'd be hard-pressed to find an easier route to solving your SELinux-based headaches.
[...] The Troubleshoot button will reveal possible actions you can take to resolve your issue. In some cases sealert will instruct you how to have SELinux stop auditing the issue; in other cases sealert will show how to generate a new policy module that allows an object (such as xenconsoled) access to a resource.
When SELinux Alert Browser makes suggestions, they will be in the form of commands you can run to solve the problem. If you agree with the suggestion offered by sealert, go back to the Terminal window and issue the suggested command(s). Hopefully, your issue will be resolved. If you're unsure that access should be allowed, I highly recommend doing research before issuing the suggested command(s).
Any Soylentils ever get so fed up with SELinux that you just disabled it? Think this might have avoided that?
In short, Yes. (Score:2)
A few places I've worked, have by default just disabled SELINUX support outright, or at least kept it in bitch mode. There are a number of big name software vendors whose first installation step is "Disable SELINUX". While in principle I really disagree with this, I tried to go rogue at work and say, "Well, at least i can try to run SELINUX on my stuff." This turned out to be futile -- if your configuration varies at all from a vanilla install, or your distro doesn't happen to ship an SELINUX module for whatever package you installed, you end up down the rabbit hole of audit -> new rule, audit -> new rule. There are situations where you need such a complex rule that you basically end up giving up, as the rules and syntax are really obtuse. Try building an SELINUX module for the Shibboleth daemon and mod_shib for Apache - I did it, but I don't understand the ruleset at all -- which is a great way to leave yourself exposed with a false sense of security.
It's strange that the article lumps Suse and Ubuntu into the SELINUX camp, as that's historically been primarily a RH/Fedora/Centos, thing while Ubuntu and Suse have tended towards AppArmor. AppArmor, by contrast has a sane way to audit and add rules, and even someone without a whole lot of AppArmor experience can grok a profile -- which is not the case for SELINUX at all.
That said, it this looks like it makes it marginally easier to get to the sealerts and build a ruleset, which is a good thing, but its definitely the opinion of many that SELINUX's ship sailed a few years ago.
