[colug-432] SELinux == Sadness

Jeff Frontz jeff.frontz at gmail.com
Sun Apr 25 16:53:05 EDT 2010

On Sun, Apr 25, 2010 at 5:04 PM, Joshua Kramer <josh at globalherald.net> wrote:
>> If only it were possible to test everything under all conditions (if
>> only P did equal NP).  Really, though, it's actually more indicative
> Actually, as RHEL 5 and 6 are configured in their 'Enforcing' mode, you only
> need to test for interaction with the outside world.  If your application
> only ever opens one file and connects to one server, those will be the two
> 'pain points' with SELinux.  You would need to test cases where the file is
> created, opened, read from, written to, and closed; likewise with the
> network socket.
> Here's an article I wrote a while back about how you can secure a website
> with SELinux.  It also demonstrates what happens when a violation occurs.
> http://www.packtpub.com/article/selinux-secured-web-hosting-python-based-web-applications

OK, thanks for the pointer-- it's seemingly further convinced me that
I don't need to use it, but just to make sure I haven't
misinterpreted: since I'm doing an embedded system with excruciatingly
limited connection with the outside world (read: an appliance that
sometimes uses lpd to connect to a printer on a closed network),
SELinux isn't even coming into play?  Maybe that actually argues for
me to just turn it on and let it be, but I have recollections of
trying to debug a problem and it turning out to be some innocuous
behavior deemed "unacceptable" by SELinux.

Perhaps you'd be willing to give a talk on SELinux sometime in the
next few weeks?


More information about the colug-432 mailing list