Just wondering if there is any statiscs report of SELinux usages in production environment? I know some still turn it off.
I don’t know about any general statistics, but I do know that I have it
turned off on my desktop/file server/print server/samba server.
I tried to play with it a few time with centos 5 and 6 for my webservers
and such, but I ended up disabling it since I did not want it to freak
out and cause a fail in a production server.
Not very good with it, but it seemed with a webserver that it needed to
allow apache and php to have a lot of access…so it did not seem to be
worth the chance of a production server going down over some stupid file
I changed or uploaded.
I don’t know about statistics, but selinux have log’s.
Watch here: http://wiki.centos.org/HowTos/SELinux
By default SELinux log messages are written to */var/log/audit/audit.log*
If you have machines purposely serving things to the masses on the
Internet, you should take the time to make SELinux work properly on
The thing that SELinux is going to do is to prevent things from running
outside the proper contexts. This means that it will, for example,
block known PHP exploits even though the machine is vulnerable, etc.
For machines not serving content, you can turn it off there if you want.
Here is a good FAQ about SELinux:
And more info:
Another statistic I’d like to see is how much admin time this costs on
the average to learn and implement. Has anyone really measured this?
Are there training courses specifically to cover it? You might get
an idea from the length and cost of the training if it covers all the
quirks. These days most of the built-in stuff is pre-configured for
someone’s idea of working (apache not being able to send mail doesn’t
match my definition, though…), but any third-party or local
additions to a targeted service will take time to set up.
Les Mikesell wrote:
Or, a local pet peeve, I’d like to see some game plan as to how selinux
will support third-party apps that are not built with any awareness of
selinux. For me, that’s CA’s siteminder.
No more than proper firewalling techniques cost, really.
EL6 greatly improves the admin interface for SELinux with policycoreutils-gui as then all the booleans are quickly available (like the boolean that turns on or off httpd’s ability to send e-mail (or connect to a network socket, etc)). The booleans (at least most of them) are in EL5, but the interface isn’t nearly as well documented (I know, many would like a TUI with the click boxes; maybe one is out there, maybe not; I’m not allergic to a remote GUI being available on a server).
The documentation for EL6 is better in this regard as well. But, really, if you’re having an issue with httpd getting ‘access denied’ things, then you can simply:
# getsebool -a |grep http
The booleans have reasonable, and readable, names that make sense, for the most part. Find the boolean that controls the feature you want, and use setsebool to set it to on.
It’s not hard, and the admin overhead once you’re used to it is a few seconds at most. It becomes another ‘firewall-like’ item to check off, really, as long as you do things at leat in a semi-standard way.
And ls-lZ is your friend, along with chcon. It is one more step, but, honestly, it’s not nearly as big a step as firewalling (ipchains/iptables) was ten/fifteen years ago. At least not with EL6; but EL5U8 is better than EL5 GA was.
To the OP’s question: all but one of our CentOS boxen here have SELinux on, and in enforcing mode with either the targeted or the strict policies. The strict policy is tough to get right, and is for special use servers on the DMZ, typically, with the targeted policy running everywhere else. Including all the CentOS workstations we have, and even my Fedora laptop. The one CentOS box with it on, and in permissive mode, soon will be in enforcing once I have the small amount of time necessary to work out the AVC’s and set up the proper contexts.
And SELinux has blocked a few attacks at this point for which there weren’t yet patches; in other words, SELinux saved me from having to reimage servers that would have been pwned had SELinux not been running. I can’t give more detail than that due to NDA, sorry.
Again, compared to all the options firewalls give you (connection tracking, DPI, UDP versus TCP ports versus IP protocol numbers versus non-IP protocols versus IP flags versus…..) SELinux is not hard to configure from the admin’s point of view. Now, from the application developer point of view, things are different. But, there again, it really boils down to making sure the files you create have the proper context, and writing policy to fit your access pattern.
Increasing system security is not easy, and it takes time to do correctly, but it needs to be done in today’s internet environment.
So at least another grumpy, overworked full-time administrator for a
Isn’t most of the point of running servers to provide a unique service?