Hacker News new | ask | show | jobs
by goneri 650 days ago
Disabling SELinux is pretty much like doing a chmod -R 777 ., it may fix your "problem", but it's certainly not the long term solution.
2 comments
area51org 650 days ago
I wouldn't say it's that drastic. Also, SELinux can give you a false sense of security. It's best to harden the system overall instead of relying on one security feature (however good it might be).
link
Spivak 650 days ago
Yes, and SELinux is by far the most powerful tool that exists for hardening your system overall. Why would you skip it?
link
speckx 650 days ago
This has worked for me in the past, but it's not something anyone should do in production. ;)

Then again, Disabling SELinux is necessary. For example, cPanel requires disabling SELinux on CentOS, AlmaLinux OS, CloudLinux, and Rocky Linux. AppArmor is fine on Ubuntu (https://docs.cpanel.net/installation-guide/system-requiremen...).

link
rurban 650 days ago
It's not necessary, it's a stupid dick move. cPanel was just not capable to tune the selinux profiles for their services, I've worked there.

My servers all run with selinux, it's really trivial. Just the ssh client and tailscale recipes are missing by default. Selinux gives you precise choices if something is rejected.

link