jaredsmith at jaredsmith.net
Tue Apr 9 13:40:32 MDT 2013
On Tue, Apr 9, 2013 at 1:34 PM, S. Dale Morrey <sdalemorrey at gmail.com>wrote:
> Ok this is probably just a rant from my own opinions and nothing more.
And this will be my reply, with my own opinions and nothing more.
> However if something is actively interfering with a well known service from
> doing it's thing, and doing so silently, then it's worse than useless.
It's keeping a well-known service from listening on non-standard ports.
One of the things I *like* about SELinux is that it keeps Apache from
listening on port 22, or port 23, or port 53. (Or, port 8081, as you found
out.) If you've ever had a web server compromised, you'd understand why
this is a good idea.
In short, just turning it off is the easy way out. While you're at it,
turn off password and turn off the firewall on your system as well, because
they're just interfering with you doing your thing as well. Oh, and those
pesky seat belts -- they get in the way too.
If, on the other hand, you decide you want to learn a bit more about a very
good tool for helping keep your system secure, one of the best resources
for learning SELinux is a presentation done by Thomas Cameron from Red Hat,
which you can find here: http://www.youtube.com/watch?v=MxjenQ31b70
Trust me -- investing an hour in watching that video will save you
countless hours in the future, both in knowing your way around SELinux, and
having a more secure system. Is it a new tool to learn, sure. Is it a bit
annoying until you learn your way around it. Absolutely. But could I in
good conscience tell you just turn it off -- no, I can't. Friends don't
tell friends to turn off SELinux.
> I trust binaries that have been installed by RPM with a keycheck. I make
> the assumption that the software developers know more about what their
> software needs than I do and I trust the package maintainers to only sign
> off on stuff that won't break my system or steal my stuff. (I know big
> assumption and yes I know there have been repo compromises in the past)
> I'm frustrated and angry with SELinux, because I chased that bug for over
> 18 hours checking everything I could possibly think of before posting here
> in utter frustration.
> It seems to me to be the TSA of the Linux world.
> I doesn't seem to actually do anythiing useful and it only ever seems to be
> in the way.
> Admittedly my only interactions with it have been along the lines of "Well
> dd you try to disable selinux and see if that solves your problem?".
> Before I ever intentionally let that thing run on a system I would like to
> see it at least start throwing up prompts (hey this app is about to do
> something .... allow or deny). Sure that wouldn't work in daemon mode,
> but at a minimum it should when I'm starting it from the command line.
> /end rant
> Thanks for letting me vent, I feel better now.
> On Tue, Apr 9, 2013 at 12:01 PM, Doran L. Barton <fozz at hypermoo.com>
> > On Tuesday, April 09, 2013 11:49:44 AM S. Dale Morrey wrote:
> > > Yep! That seems to have solved it. Thanks I would have never thought
> > > selinux. Is there anyway to completely stop/remove it on a permanent
> > > basis? That single program seems to be all but useless at doing
> > > other than getting in the way of legit apps.
> > Oh, on the contrary. SELinux is the biggest reason to use RHEL/CentOS if
> > you
> > care about security. It does a remarkable job of limiting or containing
> > malicious threats. However, it does take some learning to master. I
> > recommend everyone who works with these OS distributions take the time to
> > become SELinux masters.
> > That being said, you can modify the SELinux defaults in
> > /etc/sysconfig/selinux.
> > While you can set SELINUX=disabled, I recommend you set it to
> > instead if you just want it out of the way. It's much easier to go back
> > using it down the road if you're using the "permissive" setting.
> > I know we had Stuart Jansen give a presentation at a PLUG meeting a few
> > years
> > ago about SELinux and I recorded it. I thought it was online, but I guess
> > not.
> > I'll see if I can dig it up and upload it to YouTube. It's still mostly
> > relevant.
> > --
> > Doran L. Barton <fozz at hypermoo.com> - Linux, Perl, Web, good fun, and
> > more!
> > "Wearing of this garment does not enable you to fly."
> > -- Seen on a child's superhero costume
> > /*
> > PLUG: http://plug.org, #utah on irc.freenode.net
> > Unsubscribe: http://plug.org/mailman/options/plug
> > Don't fear the penguin.
> > */
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
More information about the PLUG