Include selinux in Server Security Check?

adept2006 · Post by **adept2006** » 12 Jan 2007, 04:20

Apparently, Security-Enhanced Linux (selinux) isn't as secure as the title implies...

- see post by katmai: http://forums.cpanel.net/showthread.php?t=55944

Would it be worth adding another check in the csf Server Security Check to warn if selinux is enabled?

(also, could this be another item addressed by the CS Server Service Package?)

bloggerman · Post by **bloggerman** » 22 Jan 2007, 05:03

adept2006 wrote:Apparently, Security-Enhanced Linux (selinux) isn't as secure as the title implies... - see post by katmai: http://forums.cpanel.net/showthread.php?t=55944

Would it be worth adding another check in the csf Server Security Check to warn if selinux is enabled?

(also, could this be another item addressed by the CS Server Service Package?)

Never has and never will be secure, these guys here at config server are on top of it all it seems, as I have CSF on _ALOT_ of our servers and I am very pleased with it. SELINUX sux0rz period!

sebby · Post by **sebby** » 06 Feb 2007, 20:55

[CentOS4 w all CS scripts installed]

Everyone seems to be biased when it comes to Selinux...
Is disabling selinux an official recommendation of the ConfigServer Team?

Regards,

/sebastien

Post by **chirpy** » 06 Feb 2007, 21:20

AFAIK, cPanel won't function correctly on a server with SELinux full enabled, only in permissive/disabled modes.

sebby · Post by **sebby** » 08 Feb 2007, 00:08

To your knowledge, is the following message generated by Selinux:

Code: Select all

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Feb  7 18:50:56 server2 filelimits: Increasing file system limits succeeded

These log files are great but how can we find out what generated them?

Post by **chirpy** » 08 Feb 2007, 17:17

sebby wrote:To your knowledge, is the following message generated by Selinux:
Code: Select all
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Feb  7 18:50:56 server2 filelimits: Increasing file system limits succeeded
These log files are great but how can we find out what generated them?

That's nothing to do with selinux. cPanel run a script regularly that checks the current open file descriptor limit in the kernel and compares it to how many files are actually open. If the second value is approaching the first then the script pokes a new value for the open file descriptor limit into the kernel. It then also redoes this when the server is rebooted.

This helps to keep the server stable and optimises file descriptor performance.

It's perfectly normal to see this happening and is very common indeed on newly commissioned servers as load is applied to them.

Nothing to worry about.