On 2017-01-09 16:04, Konstantin Olchanski wrote:
On Sat, Jan 07, 2017 at 08:18:38PM -0800, jdow wrote:Blanket disabling both of [selinux and iptables] at once, permanently is stupid beyond belief ...And then there is the reality: In el6 (and earlier), selinux was not functional and iptables were not enabled by default. So I see el7 is a big improvement: a) iptables/firewalld is enabled by default and is easy to manage. no reason to turn it off ever. b) selinux is mostly functional except for obscure bugs. So we go from 0-out-of-2 to 2-out-of-2, unless you have been burned and scarred (but not fired) by the NFS server bug, that it is 1-out-of-2.
SELinux worked for me for quite awhile on 6.2 on up. Now, with 7 (and perhaps with 6) there are some problems I don't know enough to work around. I have a MESSY workaround in 6.x. I learned of what the files in /etc/dhcp/dhclient.d do. So I used that to update a manually generated iptables that has a trick on open ports that allow one login per 90 seconds (or whatever I set it to). That worked. A file named "iptables.sh" calls the real iptables script I have tucked away in /etc/sysconfig.
Now, all that works; but I have an email arrangement that uses "fetchmail" to pull mail down from my ISP. I've found in the past it seems to have problems when the IP address from the ISP changes. (Damnifinowhy) And I have to get it started in the first place. "RestartMail.sh" seemed like the perfectly logical place to make sure it starts.
RestartMail.sh at first tried to "sudo" to the appropriate account and run a start mail script there. Nope. Fetchmail could not save or manipulate it's pid file. Besides sudo would not reliably run. I tried "su -l user command". Nope. I seems to vary with the phase of the Moon or something whether su or sudo is even accepted in the script. And always "fetchmail -d 120" has trouble with its pid file. The semodules "trick" doesn't seem to work or stick around through reboots.
So, I have to fark around with crontab and a script that detects changed conditions so that fetchmail gets started properly.
Some REALLY good documentation for SELinux with some good drawings as well as a snow job of words would be worthwhile. I'm not holding my breath. I'm just working around the various SELinux imposed annoyances. I feel naked without it; but, it wears like a wool bikini - itchy and scratchy.
{o.o}
