selinux on vhost
Sesso
sesso at djsesso.com
Sun Oct 26 13:40:17 MST 2014
I agree it has value. I learned it. Do I use it? Rarely. We use it on non control panel servers.
Jason
Sent from my iPhone
> On Oct 26, 2014, at 1:16 PM, jill <lists at bespokess.com> wrote:
>
> I would disagree on this point. Without getting into a debate over how/if it works with cPanel, which I've never used, selinux absolutely has value. Well beyond "if you're bored or taking a cert exam". A lot of people did say to just disable it when it was new and seemed like to much effort to learn and we have lingering remains of that in blog posts and docs here and there. And no, not every workload in the world requires it. But that's a heck of a kneejerk reaction to take without actually considering the technology and where/if it fits for you.
>
> selinux does have an initial learning bump of getting used to thinking in terms of access control beyond file ACLs and iptables, but it's not voodoo and it is used very extensively and effectively in the real world. For running an isolated dev environment like your initial question I'd say run it in permissive (not disabled) because that way it won't stop you doing anything but you can still see from audit.log what would/would not have happened and use that to learn from if you are so inclined.
>
> You wouldn't disable iptables on external facing servers just because you had an ASA in front of them (I hope). Same thing. Don't disregard a tool just because you also have another, different one, especially for security.
>
> Jill
>
>
>> On 2014-10-26 17:54, Keith Smith wrote:
>>
>> Probably not going to spend any time learning selinux then.
>>
>>
>>> On 2014-10-26 12:52, Sesso wrote:
>>> We have over 2000 servers and 0 have selinux enabled. I guess you
>>> could understand it if you got bored or you wanted take a RHCE test.
>>>
>>> Sent from my iPhone
>>>
>>>> On Oct 26, 2014, at 10:29 AM, Keith Smith <techlists at phpcoderusa.com>
>>>> wrote:
>>>>
>>>>
>>>> No cpanel. It is a LAMP testing server running in VirtualBox. I was
>>>> wondering if I should spend the time to understand selinux. If it is
>>>> not used on production vhost servers than I will not spend the time.
>>>>
>>>> Thanks!!
>>>> Keith
>>>>
>>>>
>>>>> On 2014-10-26 12:15, Sesso wrote:
>>>>> I guess it depends on what you are doing with it. Are you running
>>>>> CPanel ? We disable it on all of ours.
>>>>> Sent from my iPhone
>>>>>> On Oct 26, 2014, at 9:41 AM, Keith Smith <techlists at phpcoderusa.com>
>>>>>> wrote:
>>>>>> Hi,
>>>>>> I am configuring a CentOS 7 LAMP server in a virtualbox.
>>>>>> I always disable selinux on my private dev servers. I read I should
>>>>>> leave selinux enforcing. I am not configuring anything public so
>>>>>> either way I'm sure I am safe. I was just wondering if selinux
>>>>>> should be left enforcing.
>>>>>> Thanks!
>>>>>> Keith
>>>>>> --
>>>>>> Keith Smith
>>>>>> ---------------------------------------------------
>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>
>>>> --
>>>> Keith Smith
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>> --
>> Keith Smith
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list