From: Joe C. <jo...@vi...> - 2011-05-22 04:42:32
|
There probably are some security benefits to be had, but they would be limited to stuff that only privileged users could do. Since your users need to be able to execute arbitrary stuff in order to run web applications and such, /home has to be a wild west sort of situation, from the perspective of SELinux. I've used it in the past on Virtualmin systems, but in very specific circumstances where the users didn't need arbitrary application abilities, so it didn't have to be wide open in those regards. That said, if you'd like to send me the changes you make to the permissive policy, with comments on what the changes are for, I'd look into packaging it up for inclusion in the virtualmin repos (no promises, though, as it will certainly require a lot more attention to cover all the modules and other stuff that doesn't apply to your deployment, but would need to be addressed if we had an officially sanctioned policy). On 5/21/2011 11:04 PM, Jamie Cameron wrote: > On 21/May/2011 19:47 Trutwin, Joshua<JTRUTWIN@CSBSJU.EDU> wrote .. >> With stock Webmin/Virtualmin seeing a couple selinux warnings in the syslog when >> in permissive mode. Is SELinux considered supported by webmin/virtualmin? Would >> it be best to log these as bugs on Tracker or post them here? > We generally recommend turning off SElinux when running Virtualmin - it adds too > many complications, and we don't feel it adds much benefit security-wise. > > -Jamie |