Wes James wrote: > On Tue, Nov 5, 2013 at 3:38 PM, <m.roth at 5-cent.us> wrote: > >> John R Pierce wrote: >> > On 11/5/2013 2:15 PM, m.roth at 5-cent.us wrote: >> >> Wes James wrote: >> >>> >When does echo 0 > /selinux/inforce need to be used? I.e., where >> >>> is selinux enforcing itself on the system to protect it? When I do >> >>> yum install of some package, it seems to work (not being blocked). >> >>> When would doing something not work because selinux is watching it (or >> >>> whatever that process is doing)? >> >>> > >> >> It changes selinux mode from enforcing to permissive, which means it >> >> still complains, but lets the processes run anyway. >> > >> > the most common scenario for selinux problems is when you change >> > default locations for something, for instance, putting a postgresql database >> > cluster on a different path than /var/lib/postgresql/x.y/data, or have >> > users with home directories other than /home/$USER >> > >> > if you do something like this and get weird errors, you can set >> > selinux to permissive, and see your thing works. if so, analyze the selinux >> > error logs to see what corrective action you need (typically, >> > relabeling the unusual location for whatever it is). >> >> Or you might need to create special local policies for software in >> non-standard (but standard for your work environment) locations, or for >> local or third party software that was written in total ignorance or >> disregard of selinux (such as from CA, or Matlab...), or, in some cases, >> just leave it in permissive mode. >> >> mark "NOT a fan of selinux, dealt with it far too much" >> > OK. Why not use some other linux that doesn't use selinux then? I guess > in permissive mode, you could still monitor the logs and take action, if > needed. 1. The most widely used distro of Linux in the US is RHEL ("upstream") and RHEL-derived distros, like CentOS. RHEL gives you selinux. 2. You really expect any organization, much less a large one, to change distros just because there's issues that annoy sysadmins, and only occasionally users (due to sysadmins fighting the good fight, and mostly beating the damn thing)? 3. I really, *REALLY* like a *stable* distro (don't get me started on fedora). None of us wants to debug the o/s.... Yeah, I'm the one who does most of the shut selinux up around here.... mark