[colug-432] SELinux == Sadness
Jeff Frontz
jeff.frontz at gmail.com
Sun Apr 25 16:53:05 EDT 2010
On Sun, Apr 25, 2010 at 5:04 PM, Joshua Kramer <josh at globalherald.net> wrote:
>
>> If only it were possible to test everything under all conditions (if
>> only P did equal NP). Really, though, it's actually more indicative
>
> Actually, as RHEL 5 and 6 are configured in their 'Enforcing' mode, you only
> need to test for interaction with the outside world. If your application
> only ever opens one file and connects to one server, those will be the two
> 'pain points' with SELinux. You would need to test cases where the file is
> created, opened, read from, written to, and closed; likewise with the
> network socket.
>
> Here's an article I wrote a while back about how you can secure a website
> with SELinux. It also demonstrates what happens when a violation occurs.
>
> http://www.packtpub.com/article/selinux-secured-web-hosting-python-based-web-applications
>
OK, thanks for the pointer-- it's seemingly further convinced me that
I don't need to use it, but just to make sure I haven't
misinterpreted: since I'm doing an embedded system with excruciatingly
limited connection with the outside world (read: an appliance that
sometimes uses lpd to connect to a printer on a closed network),
SELinux isn't even coming into play? Maybe that actually argues for
me to just turn it on and let it be, but I have recollections of
trying to debug a problem and it turning out to be some innocuous
behavior deemed "unacceptable" by SELinux.
Perhaps you'd be willing to give a talk on SELinux sometime in the
next few weeks?
Jeff
More information about the colug-432
mailing list