Any SELinux Experts?

Latest response

The enterprise I work for is starting to push RedHat, in earnest, into the enterprise. Currently, the standard build we are deploying has SELinux enabled in targeted enforcement mode. Recently, a newly deployed RHEL system was requested to be added to our enterprise backup solution, NetBackup. Unfortunately, this system is encountering issues that "smell" like they might be SELinux-related.

 

Has anyone here ever tried to get SEL-enabled RHEL systems working as NetBackup clients? I've Googled around and perused a few NetBackup forums. Of the few posts I encounter about NBU in SEL-enabled environments, the universal number one suggestion seems to be "disable SEL" (seen this reply for other popular software people attempt to run on SEL-enable RHEL systems, too). This isn't exactly a "solution" that our enterprise's security folks are likely to want to allow. 

 

I know that I can run SELinux in permissive mode and then use the audit log processing tools to generate SEL policy modules. However, I'm not familiar enough with SEL to feel comfortable that such generated policy modules won't, essentially, neuter SEL (much like bad /etc/sudoers configurations can really render system security meaningless). Was hoping someone had solved this or similar problems or could tell me if I was being over-worried about the ramifications of generated policy modules.

 

I'm also working with the vendor to get their assistance. Unfortunately, initial indications seem to be that NetBackup under SEL just isn't that common a support request for them. The more I try to deploy commercial applications on our RHEL build, the more I notice that applications' SEL-support is an afterthought at best.

 

Any way, thanks in advance for any tips.

Responses