On Thu, Oct 20, 2011 at 10:50 PM, RILINDO FOSTER <[email protected]> wrote: > SELinux is just a couple of more of steps when configuring the system. Its a > not a large deal once you figure out the basic command set. In fact, come of > the steps configuring an app for SELinux is even outlined in the man pages > and some of the application docs, (notably Samba).
Until it breaks something, unpredictably. For example, restoration of previously working software with "rsync" from another working system, or "tar" from backup tape, will not set SELinux. So if you've been using Amanda or live rsync backups of your OS, the SELinux configuration is *gone* if you attempt to replicate components of it. And various web utilities whose authors refuse to follow the published guidelines of the File System Hierarchy and slap their oddities all over your filesystem will not work well when they demand to be stuffed in "/home/html". > Worse case, you can use the audit file as well as the SELinux Troubleshooter > utility to diagnose the issue. In most case, it is easy to resolve. Until it's not. It's *expensive* engineering time, and its usefulness in the face of claims like "we trust the people we work with!" and "if they're already inside our network, we have much bigger problems" lead to policies that can get you fired for burning time on this.
