I was banging my head against the wall trying to figure out why my Nagios install wasn't working on CentOS 4.5 (I'm used to Debian), and so I disabled SELinux and everything magically started working. Is this a good long term idea? Or is there a better way of doing things? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070629/ff8b96a9/attachment.html>
Rogelio Bastardo wrote:> I was banging my head against the wall trying to figure out why my > Nagios install wasn't working on CentOS 4.5 (I'm used to Debian), and > so I disabled SELinux and everything magically started working. > > Is this a good long term idea? Or is there a better way of doing things? > > -- > This message has been scanned for viruses and > dangerous content by the *Enhancion* <http://www.enhancion.net/> > system scanner, > and is believed to be clean. > ------------------------------------------------------------------------ > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >Hi There, If your machine is purely a server and has no local accounts for ordinary users, you can implement an effective sercurity policy using appropriate partitioning, fstab entries, wrapper and firewall configuration without the baggage of SElinux. Save yourself the headache and turn it off! Regards Pete
On Friday, June 29, 2007 7:19 PM -0700 Rogelio Bastardo <scubacuda at gmail.com> wrote:> I was banging my head against the wall trying to figure out why my Nagios > install wasn't working on CentOS 4.5 (I'm used to Debian), and so I > disabled SELinux and everything magically started working. > > > Is this a good long term idea? Or is there a better way of doing things?SELinux is a tool, part of a suite of defenses you deploy as part of "defense in depth" to protect your assets. Only you can decide how valuable your assets are and how much effort you should expend protecting them. (But an usurped box also hurts the rest of us, once it becomes a bot available to spam or otherwise attack other hosts.) You should have other techniques in play to defend your system, such as iptables, tcp wrappers, LUA, SSL, and strong passwords. SELinux presents another hurdle that attackers must get past. My policy is not to permanently disable it but to figure out how to use it. I'm currently reading the two premier books on it to understand it. So far I haven't had to disable it to get things working, but I've had to defer deployment of some services or figure out workarounds.