LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-24-2011, 10:16 AM   #1
Jadedkill
LQ Newbie
 
Registered: Oct 2010
Location: Missouri
Distribution: CentOS, Gentoo
Posts: 17

Rep: Reputation: 0
Disabling SELinux on CentOS domain controller


I was wondering why most of the guides for this disable the firewall on the intended server at the beginning of the setup. Some guides say it will only cause problems and others say it is too much work to configure so they just turn it off. Isn't this a huge security violation of good practices when securing your servers? Just want people's opinions on this and also what they feel it would take to properly configure a linux DC with the local firewall enabled.
 
Old 10-24-2011, 12:45 PM   #2
zootboy
Member
 
Registered: Nov 2008
Location: In a dumpster, with my laptop.
Distribution: Fedora
Posts: 124

Rep: Reputation: 25
I would like to point out that SELinux is not a firewall. SELinux is a system that acts like super-permissions; it watches what goes on within the OS and blocks potentially malicious activities. It's really more like a proactive anti-virus system, but that's not the best description.

Anyway, the reason a lot of people disable it is because it's kind of a bitch to get working correctly. In many circumstances, it will block perfectly legitimate actions, requiring the admin to fix permissions, rebuild rule sets, blah blah blah...

In my experience, it's a calculated risk. You really should leave it enabled, but it's not the end-all and be-all of security. If your server is public-facing, I would highly recommend just bearing down and getting it to work.

P.S. If you're looking for information on how to configure the real Linux firewall, look into iptables.
 
Old 10-24-2011, 12:51 PM   #3
Jadedkill
LQ Newbie
 
Registered: Oct 2010
Location: Missouri
Distribution: CentOS, Gentoo
Posts: 17

Original Poster
Rep: Reputation: 0
Thanks!

You are right about it not being the firewall. My terminology is off in my orginal statement. That makes sense now that you mention it being a monitoring system. Much like an HIDS (Host Intrusion Detection System) just without the administrator notification portion i guess. I had actually forgotten about iptables so it makes more sense now as to why people would set SELinux to disable it. Do you know of any documentation for configuring SELinux? I have ran through the setup process before but am looking for other ideas as well.

---------- Post added 10-24-11 at 12:52 PM ----------

You are right about it not being the firewall. My terminology is off in my original statement. That makes sense now that you mention it being a monitoring system. Much like an HIDS (Host Intrusion Detection System) just without the administrator notification portion i guess. I had actually forgotten about iptables so it makes more sense now as to why people would set SELinux to disable it. Do you know of any documentation for configuring SELinux? I have ran through the setup process before but am looking for other ideas as well.
 
Old 10-24-2011, 03:11 PM   #4
zootboy
Member
 
Registered: Nov 2008
Location: In a dumpster, with my laptop.
Distribution: Fedora
Posts: 124

Rep: Reputation: 25
A quick google search is all you need:
http://hackinglinux.blogspot.com/200...-tutorial.html
http://magazine.redhat.com/2007/08/2...policy-module/

But generally, I will put it into permissive mode and use auditd to see what needs policy mods. Once I implement those, I'll put it back into enforcing mode. Then you just have to monitor the audit log any time there's an issue. Things that often gave me trouble were php access to the filesystem and my non-standard html root directory.
 
1 members found this post helpful.
  


Reply

Tags
domain, domain controller, enable, firewall, selinux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: CentOS 5.x Samba Domain Controller With LDAP Backend LXer Syndicated Linux News 0 11-09-2009 10:30 AM
SELinux - disabling in CentOS 5.1 prevents LVM from loading and/or booting tiber Linux - Software 2 02-09-2008 04:51 AM
making Centos s primary domain controller jvan Linux - Newbie 2 12-15-2007 03:27 AM
Disabling SElinux Opacus Fedora 1 01-14-2005 08:04 AM


All times are GMT -5. The time now is 03:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration