Wes James wrote:
On Tue, Nov 5, 2013 at 3:38 PM, m.roth@5-cent.us wrote:
John R Pierce wrote:
On 11/5/2013 2:15 PM, m.roth@5-cent.us wrote:
Wes James wrote:
When does echo 0 > /selinux/inforce need to be used? I.e., where
is selinux enforcing itself on the system to protect it? When I do yum install of some package, it seems to work (not being blocked). When would doing something not work because selinux is watching it (or whatever that process is doing)?
It changes selinux mode from enforcing to permissive, which means it still complains, but lets the processes run anyway.
the most common scenario for selinux problems is when you change default locations for something, for instance, putting a postgresql
database
cluster on a different path than /var/lib/postgresql/x.y/data, or have users with home directories other than /home/$USER
if you do something like this and get weird errors, you can set selinux to permissive, and see your thing works. if so, analyze the
selinux
error logs to see what corrective action you need (typically, relabeling the unusual location for whatever it is).
Or you might need to create special local policies for software in non-standard (but standard for your work environment) locations, or for local or third party software that was written in total ignorance or disregard of selinux (such as from CA, or Matlab...), or, in some cases, just leave it in permissive mode.
mark "NOT a fan of selinux, dealt with it far too much"OK. Why not use some other linux that doesn't use selinux then? I guess in permissive mode, you could still monitor the logs and take action, if needed.
1. The most widely used distro of Linux in the US is RHEL ("upstream") and RHEL-derived distros, like CentOS. RHEL gives you selinux. 2. You really expect any organization, much less a large one, to change distros just because there's issues that annoy sysadmins, and only occasionally users (due to sysadmins fighting the good fight, and mostly beating the damn thing)? 3. I really, *REALLY* like a *stable* distro (don't get me started on fedora). None of us wants to debug the o/s....
Yeah, I'm the one who does most of the shut selinux up around here....
mark