Do any of your guys use SELinux in any of your linux installs?

Beyond turning it off at install time so far, no.

Ditto for me.

I ran into a 'formVista doesn't run because of SELinux" problem. More info here:

http://formvista.com/fv-b-12-143/On-Fedora-Core-12--SEL...

Not here.

BTW, you guys don't know what you're missing by not using OpenBSD.

Things have really changed for me. In the old days it was about the underlying technologies, but these days it's really just about what let's me run the apps I want to the most easily.

I have to admit Fedora is not bad. If I were in some hard core technical shop, I could see running BSD just to stay close to the OS and keep the skills up. But that's just not where I am these days.

That is somewhat applicable for a workstation or laptop, but not for a server. I assumed you were talking about servers.

Oops. Sorry. I wasn't clear. I'm running Fedora as a desktop and it has SELinux turned on by default.

I figured since if I ever get any adoption for formVista I'll run into this problem again I'd delve into it.

It'll just be a matter of time before RHEL/CentOS enforce SELinux as well.

But yea, for a server I could see running BSD, but then again I'd probably miss the auto-updates.

Updates can be automated if you like, though their philosophy questions the merits of automatic updates on a server. But being a rather secure system by default, updates are less frequent and generally less critical.

Yea, I can certainly understand that perspective. But given incredible time constraints I just don't have the kind of time necessary to manually manage a box to that degree any more ...

It seems some distributions have it on by default. How do I tell if it is on on my box?

Depending on the distribution you are using you can check:

/etc/sysconfig/selinux

For instance, under Fedora Core 12 the contents of that file on my box are:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

which indicates it's turned on in enforcing mode. Permissive sets it to log all SELinux security issues but allows them through.

I was on the CentOS home page looking for something else and found another answer: sestatus

[root@Ferb spath]# /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

This actually tells me that it is running and what mode it is in.

Now that I know it is enabled, is that a good thing or a bad thing that it's enabled?

From a security perspective it's a good thing. SELinux greatly expands the kinds of permissions the system keeps track of.

Using SELinux you can, for instance, specify that the web daemon (httpd) is only allowed to write to specific directories or prevent it from making outgoing network connections, etc. Unfortunately, all this flexibility brings with it tremendous complexity.

So it often happens that when SELinux is enabled, programs like Google Earth end up not working.

Most people turn it off because of the hassle it represents.