Count me in as another experienced sysadmin who isn't sold on SE Linux. Yes, I've been using it here and there and attempting to get better at troubleshooting issues with it....but mostly I'm holding off production deployments until the technology matures further. The following issues are some of what bothers me: a) SELinux still seems too much of a black box ....I have had situations where working applications running under selinux start having issues months after deployment and after I assumed all critical problems had been debugged (I think it comes down to the fact that selinux requires the admin to be much much more precise on defining the behavior of applications, but the admin doesn't always know how those behaviors are going to change over time). b) We had some servers crash recently because selinux was silently logging access errors for a very busy webserver and storing the messeges in ram apparently or there was a memory leak in setroubleshoot. System went through 4GB of ram for selinux purposes within an hour of boot...shutting off selinux eventually allowed the system to stay in operation until our developers realized that a recent change in their application was violating policies. c) As an Admin, I like to setup machines and be generally aware of what developers are up to (to the extent it impacts system reliability, performance, and security) but I dont want to know every last detail of their new apps...and selinux somewhat forces me to be much more involved so that I know all the directories they are accessing for each app/etc as well as network ports I might not have needed to know about before. d) And lastly, I'm still working out how to get the whole logging mechanism for selinux working properly. I don't want any applets involved on the server, and all our syslog messeges go to a central splunk server which is configured for various live reports and alerting. You'd think there'd be an easy way to get alerted on the appropriate selinux messeges but there doesn't appear to be, especially as we have to carefully tune what messeges are "normal" and which really require attention. So, as much as I agree with the principles of se linux and want it to be deployed eventually in all production environments, I am somewhat frustrated at RedHat forcing it's customer base to be beta testers of what essentially isn't production ready software. Hopefully, the concerns will go away by a RHEL7 release.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds