SELinux Policy

**cPanelJerrySmith** · 06-21-2011 12:38 PM

I'd like to see cPanel develop an official SELinux policy to allow administrators to operate their servers with SELinux turned on.

cPanel could install this policy automatically as part of the cPanel installation process (sh latest) and keep it updated automatically as part of the cPanel update process (upcp).

cPanel could still recommend disabling SELinux and allow each administrator to decide whether they want to enable SELinux for their machine.

No interface would be required in WHM. The SELinux policy would be installed and updated automatically and enabling/disabling SELinux would be up to each system administrator and would be done manually on the command line.

*** UPDATE ***

I would like to stress that preferably this is how it would work:

1) Installation instructions would still recommend SELinux be disabled or set to permissive
2) Enabling SELinux would have to be enabled manually by system administrator
3) cPanel would only support the installation of the SELinux policy and not issues with SELinux itself
4) SELinux would require a system administrator with experience in dealing with it

**monarobase** · 06-22-2011 06:45 AM

I like the idea. Would be nice to have !

**Infopro** · 06-22-2011 07:26 AM

For the uninitiated:

SELinux can potentially control all users, processes and daemons with very precise specifications which activities are allowed for every member. However currently it is mostly used to confine daemons like database engines or web servers that have more clearly defined data access and activity rights. A confined daemon that becomes compromised is thus limited in the harm it can do. Ordinary user processes often run in the unconfined domain, not restricted by SELinux but still restricted by the classic Linux access rights.

Security-Enhanced Linux - Wikipedia, the free encyclopedia