LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

June 2016

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS June 2016

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: SL7 CUPS/SELinux problem trying to install Brother HL-3150CDN printer driver
From:	Nico Kadel-Garcia <[log in to unmask]>
Reply To:	Nico Kadel-Garcia <[log in to unmask]>
Date:	Thu, 30 Jun 2016 01:23:26 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (58 lines)

On Wed, Jun 29, 2016 at 6:12 AM, David Sommerseth
<[log in to unmask]> wrote:
> On 29/06/16 10:00, Bill Maidment wrote:
>> My final attempt was successful, sort of.
>> I switched SElinux to enabled and rebooted, then the install worked OK.
>> Then I had to use a live CD to be able to boot, changed SElinux to disabled, and reboot again.
>> Then I had to us lpoptions to set the default parameters as the CUPS gui tool refused to change anything.
>> Phew. What a tortuous route.
>> Back to sleep now.........
>
> <rant>
>
> Let this be an example why NOT to disable SELinux.  SELinux has been (if
> my memory serves me right) available since Fedora 6 (released in 2006)
> and RHEL *4*!  I believe it was turned on by default in Fedora 8 and
> RHEL 5.  And in RHEL 6 you could no longer disable SELinux at install time.

It's a reason to set it to "permissive" and check the logs. And yes,
SELinux remains a problem with locally developed, thirdparty, and even
default upstream software. I'm afraid the amount of time wasted
debugging it frequently even usually, outweighs the security benefits.

> SELinux is not the obstacle it once was over a decade ago.  So if you
> have issues when it is enabled, learn to use the proper tools to debug
> and fix it correctly.  (audit2why, audit2allow, semanage, restorecon,
> etc, etc)

Until and unless you use something that is not from an RHEL or
Scientific Linux published RPM that has gone through real QA.

> Disabling SELinux is in 2016 *not* a solution and can barely be
> considered a workaround.
>
> Refusing to to use, accept and learn SELinux will serve you no good in
> the long run.

See above. Security is a trade-off between trouble saved by having
security, and caused by the security itself.

> Seriously, I've been running a various amount of Fedora, RHEL/SL/CentOS
> installations and versions over the last 8-9 years.  In SL7 SELinux have
> not bitten me much at all (only one issue with logrotate on servers
> running Zimbra Collaboration Suite, that's all).   I have the last 6-7
> years never needed to disable SELinux to accomplish my tasks.  Yes, I've
> put systems into permissive modes to see if SELinux was to blame, but
> mostly that was not the issue.

It's gotten better. As soon as you start hand-compiling servers for
development reasons, or start writing your own RPM's, it starts
costing serious engineering time.

> So if you are badly hit by SELinux troubles, you need to look into if
> you or the software you use are doing the right things.
>
> </rant>

Permissive is your friend. Disabled can cause its own problems.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV