I have one test machine with qmail scanner and spamassassin installed; the system uses RHEL 4 with SELinux enabled in permissive mode. Everything works fine, the mail server works nicely with the default targeted policy and plesk's selinux policy, but qmail's sendmail doesn't work when called from a php script.

Is there anybody in here that got ART's packages to work with SELinux without broadening excessively their policy?

An example of the AVC denial errors can be found here:

https://www.redhat.com/archives/fedora- ... 00157.html

Sadly, I tried asking in the many qmail's support channel, but people do not seem to use (or like, for that matter) SELinux at all.

Im in agreement with them. SELinux is a pain in the ass, while I support it in ASL, I turned it off completely (selinux=0 at boot time), to rely on grsec instead. Two of the core deficiencies in SELinux is its lack of debugging output, alongside of requiring you to write the policies. So not only do you have to create your own policies, its very bad at telling you when one is being triggered. In contrast, Grsecurity has a learning mode, so you don't have to get into escoteric data/process labelling like you do in SELinux, and very verbose output to the logs when you violate a rule.

Yes, as soon as you start installing software outside of the standard repositories you'll find software that doesn't play nice with SELinux. You can always ask the authors if they'd be willing to write a policy or give it a go yourself, but as Scott mentions it's not too much fun doing that.

Thanks for the answers Which is the performance hit of SELinux against grsec?

Might be of interest: http://kb.swsoft.com/article_17_1002_en.html

The only performance impact you get with GRSEC is with the PaX code on Intel CPU's,depends on what youre doing, but a good worst-case scenario would be 3% on the CPU since its all in software. If you're on an AMD cpu, this is available in hardware so theres no impact at all.

Tried installing grsec by myself, but the server miserably failed at boot, even though I tried and double checked everything.

Unfortunately, the fact SELinux is preinstalled in some popular OS included in server packages makes it a less risky business than compiling a custom kernel (even though I have done it many times in the past, and I am still wondering what went wrong with this machine).

I wish I could afford ASL's pre compiled packages, but I will have to wait a bit for that, as I can barely afford to pay my server costs right now. With grsec, SELinux, and ASL packages not an option right now, the only temporary fix I have is trying to double check all system permissions, tighten them when possible, and chroot apache - which, as Scott also said, is a nightmare in terms of maintenance on a Plesk system.