On 10/02/2013 01:00 PM, Hodge, Robert L wrote: > Do you really want to handicap the security on your Linux server by disabling > SELinux? I use the audit2allow command as outlined at > http://www.linuxforums.org/articles/accomodating-avc-denied-messages-selinux_355.html > to create and load needed local policies for SELinux. It is an iterative > process until all the SELinux denials are found. I've done this successfully > on RHEL 6.3 and RHEL 6.4.
I almost appended my reply to John with "now ... before the flame wars start ...". It's a sensitive topic. Those who like SELinux really really believe in it. Others consider it a government blessing akin to SOX. Reigning in my own feelings and trying to be objective, SELinux is a powerful and sophisticated tool. But it is just a tool, and only one of several. And it carries a substantial run-time cost. Quoting from a different thread, "... the overhead is horrendous. It causes a RACF security call on each and every DSN.". What RACF does in that context, SELinux does here. Depending on your risks and exposure, the performance hit may be justified. In addition to the operational overhead is the staff overhead (starting with a learning curve, but ongoing). Again, might be justified, but should be indicated. Not all Linux distributors include support for SELinux. -- R; <>< ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
