SELinux is a Mandatory Access Control system. You can get an idea of how you'd configure this at my Selinux on FC5 article even though it's a few years old, but before you read that, just let me put on my flame proof suit here... ok, I'm ready: I almost always disable SELinux sooner or later.
Yeah, really. I think SELinux is a wonderful, wonderful idea. If used properly, it really can help make your system more secure. My problem is that it doesn't get used properly. So upgrades get done and the people who do the scripts forget all about SELinux and what YOU get is a broken app or a broken system. This happens all too frequently, and unless you are willing to have constant vigilance, SELinux (or lack of due digilence with regard to it), will bite you sooner or later.
So - if you are willing and able to babysit this and be sure everything has been properly reset after updates, yes, use SELinux. If you are like my more typical clients, you may not want to invest the time.
When I do an install, I usually leave SELinux enabled. The first time I get the "everything is broken" call because of SELinux, I have a long conversation about all this and the result usually is to disable it because they don't have time to watch this and aren't willing to pay my time to do it for them.
SELinux: great idea. Not so great in the real world. Not SELinux's fault, just the way things are.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2011-07-07 Tony Lawrence
The easy confidence with which I know another man's religion is folly teaches me to suspect that my own is also. (Mark Twain)