[SOLVED] Disabling SELinux on CentOS domain controller
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was wondering why most of the guides for this disable the firewall on the intended server at the beginning of the setup. Some guides say it will only cause problems and others say it is too much work to configure so they just turn it off. Isn't this a huge security violation of good practices when securing your servers? Just want people's opinions on this and also what they feel it would take to properly configure a linux DC with the local firewall enabled.
I would like to point out that SELinux is not a firewall. SELinux is a system that acts like super-permissions; it watches what goes on within the OS and blocks potentially malicious activities. It's really more like a proactive anti-virus system, but that's not the best description.
Anyway, the reason a lot of people disable it is because it's kind of a bitch to get working correctly. In many circumstances, it will block perfectly legitimate actions, requiring the admin to fix permissions, rebuild rule sets, blah blah blah...
In my experience, it's a calculated risk. You really should leave it enabled, but it's not the end-all and be-all of security. If your server is public-facing, I would highly recommend just bearing down and getting it to work.
P.S. If you're looking for information on how to configure the real Linux firewall, look into iptables.
You are right about it not being the firewall. My terminology is off in my orginal statement. That makes sense now that you mention it being a monitoring system. Much like an HIDS (Host Intrusion Detection System) just without the administrator notification portion i guess. I had actually forgotten about iptables so it makes more sense now as to why people would set SELinux to disable it. Do you know of any documentation for configuring SELinux? I have ran through the setup process before but am looking for other ideas as well.
---------- Post added 10-24-11 at 12:52 PM ----------
You are right about it not being the firewall. My terminology is off in my original statement. That makes sense now that you mention it being a monitoring system. Much like an HIDS (Host Intrusion Detection System) just without the administrator notification portion i guess. I had actually forgotten about iptables so it makes more sense now as to why people would set SELinux to disable it. Do you know of any documentation for configuring SELinux? I have ran through the setup process before but am looking for other ideas as well.
But generally, I will put it into permissive mode and use auditd to see what needs policy mods. Once I implement those, I'll put it back into enforcing mode. Then you just have to monitor the audit log any time there's an issue. Things that often gave me trouble were php access to the filesystem and my non-standard html root directory.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.