[wplug] Who benefits from SELinux?
Jonathan Billings
billings at negate.org
Wed Apr 11 22:04:24 EDT 2012
On Apr 10, 2012, at 7:45 PM, Drew from Zhrodague wrote:
> Indeed, I'm sure this helps for servers, but would not at all work for
> a developer's workstation, where they are writing and testing wacky
> software that may not have hooks for SELinux. =_)
>
> I also generally turn it off. In cloud environments, it is easier to
> delete the host and spin up a replacement.
If anything, you should at least be running it in Permissive mode. At least that way, when you've been compromised, you can use the audit logs to see how you were "owned". :)
In all seriousness, in Permissive mode, violations are still logged, and you can use those logs to identify files or executables that might be mislabeled, what SELinux booleans can be toggled, and even to create custom SELinux modules. If you want to be extra safe, you can run in enforcing mode, but run certain domains in permissive mode. Read the 'auditd', 'ausearch', 'audit2allow' and 'semanage' man pages.
--
Jonathan Billings <billings at negate.org>
More information about the wplug
mailing list