On 12/03/2015 03:45 PM, Cowboy wrote:
On 12/03/2015 03:29 PM, Rob Landry wrote:
I haven't tried CentOS 7 yet.
My latest major pain, be aware that CentOS-7 ( and RHEL 7 ) now come
shipped with SELinux set to ENFORCING, which means that many things
you'd expect to work, just don't, and silently.
Woah there, Cowboy.... all SElinux denials are recorded as avc denials
in /var/log/audit/audit.log by default. It will be increasingly
difficult to run without SELinux, at least on CentOS. But, CentOS 6 also
ships with SELinux set to ENFORCING by default, too; it's not new with
CentOS 7.
Change it to DISABLED and things go as you would expect.
You can also change it to PERMISSIVE and things work, and the system
records where they would have broken, and the system continues to record
the proper contexts so that you can go back to using SELinux without a
complete filesystem relabel.
Learning to use SELinux with the booleans and knobs that Red Hat has
provided isn't that hard, and it is a great extra layer of security on
critical systems. I have seen attempted attacks that were thwarted with
SELinux (and one was on a system that was not internet-connected; there
just happened to be a virus-infected Windows machine on the same LAN).
But, that's just my opinion..... but, well, I do Linux servers as part
of what I do for a living.
_______________________________________________
Rivendell-dev mailing list
Rivendell-dev@lists.rivendellaudio.org
http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev