There’s some cool commentary going on at Slashdot this morning about SELinux. And wouldn’t you know it, it’s about one of articles here at SearchEnterpriseLinux.com.
The article was a mash-up of some stuff I had left over from May’s Red Hat Summit in San Diego, an interview with author and SELinux expert Frank Meyer, and an exchange with our new blog contributor Jim Klein, the the director of information services and technology at California-based Saugus Union School District. (Link: With RHEL5, Red Hat goes to bat for SELinux)
The comments at Slashdot are arriving from readers on all sides of the SELinux aisle. Some agree that SELinux has come a long way and that people like Red Hat’s Dan Walsh are right to ask it be turned on all the time; others agree with the assertion that its already been typecast as too complex; while some fall in the middle asking for more advice. Oh, and some just plain hate it.
Here’s some of that straightforward advice, from Slashdot reader BigBuckHunter:
Step 1: Install RHEL, disable SELinux
Step 2: Install and configure your stack (apache, jboss, tomcat, mysql, whatever)
Step 3: Enable permissive mode, light up the stack, watch logs
Step 4: Tweak the rules, repeat step 3 until the logs are clean.
Step 5: Enable Enforcing Mode
You can now rest a little bit easier knowing that you have SELinux enabled. The only drawback is that you sometimes have to repeat the process as new versions of your stack are released (mysql, jboss). It’s basically a monthly process.
This is not the last of our coverage on SELinux. Watch for more as it continues to mature.