On Sat, Jan 07, 2017 at 08:18:38PM -0800, jdow wrote: > > Blanket disabling both of [selinux and iptables] at once, permanently is > stupid beyond > belief ... >
And then there is the reality: In el6 (and earlier), selinux was not functional and iptables were not enabled by default. So I see el7 is a big improvement: a) iptables/firewalld is enabled by default and is easy to manage. no reason to turn it off ever. b) selinux is mostly functional except for obscure bugs. So we go from 0-out-of-2 to 2-out-of-2, unless you have been burned and scarred (but not fired) by the NFS server bug, that it is 1-out-of-2. -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
