Stop Disabling SELinux: A Real-World guide

Profile image of Mattias Geniar

Mattias Geniar, February 02, 2017

Follow me on Twitter as @mattiasgeniar

I like this as a 2017 New Year’s resolution.

But in full disclosure: I still disable SELinux as it’s often too much of a hassle. I think most sysadmins disable SELinux.

If I can ever make a feature request: make SELinux more user friendly and let it follow the ‘works out of the box’ mantra. It’s incredibly annoying to install a webserver and find a default SELinux policy not allowing outbound connections.

But security vs. usability is always a trade of.

It’s 2017, and your New Year’s resolution should be to stop disabling SELinux. SELinux does a great job of doing what it says on the tin – making your servers safer. It doesn’t matter if a Docker, Samba or even Flash vulnerability hits, as SELinux can contain it.But SELinux can’t do anything if you disable it.

In the first post in our SELinux series, we’re going to look at just how easy it is to run nginx as a reverse proxy, all while keeping SELinux happy.

Source: Stop Disabling SELinux: A Real-World guide – LearntEmail