[Triumf-linux-managers] Anyone not turning off SELinux ?
Kelvin Raywood
kray at triumf.ca
Mon Oct 6 18:32:38 PDT 2008
Andrew Daviel wrote:
> I just wondered if anyone was successfully living with SELinux in
> enforcing mode.
The TRIUMF kickstarts of SL 5.1 and 5.2 have SELinux enabled by default.
This can be overridden during the first-boot but would then require
another reboot. You can check your SELinux mode with the command
"/usr/sbin/sestatus" (works as non-root).
So if you have SELinux enabled but didn't know it, Andrew would like to
hear from you.
However, it is servers such as web, database, print, ... that are most
likely to be affected by SELinux (by design) and the TRIUMF kickstarts
do not install any of these packages. If you've installed and
configured any server-packages and use SELinux or have since disabled
it, then we'd liketo hear about your experience.
We have migrated many central services to single-purpose
virtual-machines which have a very minimal set of packages installed.
They typically have SELinux disabled since isolation of services is
enforced at the machine level. There is less to be gained from SELinux
on a single-service virtual-machine than in a multi-purpose machine with
several services.
We have SELinux enabled on the virtual-machine host which is also
providing time service as "time1.triumf.ca". SELinux has not caused in
issues in this scenario.
--
Kel Raywood
Core Computing and Networking
More information about the Triumf-linux-managers
mailing list