Posted Jul 14, 2008 0:40 UTC (Mon) by mmarlowe (subscriber, #11374)
Parent article: SELinux and Fedora
Count me in as another experienced sysadmin who isn't sold on SE Linux. Yes, I've been using
it here and there and attempting to get better at troubleshooting issues with it....but mostly
I'm holding off production deployments until the technology matures further.
The following issues are some of what bothers me:
a) SELinux still seems too much of a black box ....I have had situations where working
applications running under selinux start having issues months after deployment and after I
assumed all critical problems had been debugged (I think it comes down to the fact that
selinux requires the admin to be much much more precise on defining the behavior of
applications, but the admin doesn't always know how those behaviors are going to change over
b) We had some servers crash recently because selinux was silently logging access errors for a
very busy webserver and storing the messeges in ram apparently or there was a memory leak in
setroubleshoot. System went through 4GB of ram for selinux purposes within an hour of
boot...shutting off selinux eventually allowed the system to stay in operation until our
developers realized that a recent change in their application was violating policies.
c) As an Admin, I like to setup machines and be generally aware of what developers are up to
(to the extent it impacts system reliability, performance, and security) but I dont want to
know every last detail of their new apps...and selinux somewhat forces me to be much more
involved so that I know all the directories they are accessing for each app/etc as well as
network ports I might not have needed to know about before.
d) And lastly, I'm still working out how to get the whole logging mechanism for selinux
working properly. I don't want any applets involved on the server, and all our syslog
messeges go to a central splunk server which is configured for various live reports and
alerting. You'd think there'd be an easy way to get alerted on the appropriate selinux
messeges but there doesn't appear to be, especially as we have to carefully tune what messeges
are "normal" and which really require attention.
So, as much as I agree with the principles of se linux and want it to be deployed eventually
in all production environments, I am somewhat frustrated at RedHat forcing it's customer base
to be beta testers of what essentially isn't production ready software.
Hopefully, the concerns will go away by a RHEL7 release.