On 2017-01-07 19:30, David Sommerseth wrote:
> On 06/01/17 23:56, Konstantin Olchanski wrote:
>> On Sat, Dec 31, 2016 at 04:28:04PM -0800, jdow wrote:
>>> ... new 7.2 machine.
>>> ... SELinux issues.
>>>
>> You *must* disable SELinux in CentOS-7.
>
> *That* deserves the price for the worst advice in 2017.  With '*must*',
> that is just a way too strong advice which I hope nobody really
> considers strongly.  It's as equally bad as saying "disable and flush
> iptables because it blocks connections to your host".
>
> I honestly hoped we had moved much further forward than this ...

I have turned SELinux permissive to try to track down problems. It removes one 
giant unknown variable from the picture. I seldom leave it that way very long.

And in a fairly clean (no servers) install iptables opened wide for brief 
periods can be considered "safe enough". Now, if you have a telnetd running (but 
--- why would you do something so stupid?) opening the firewall is suicidal.

Blanket disabling both of them at once, permanently is stupid beyond belief, 
IMAO. OTOH the people who got in so easily might figure it's a honeypot or 
something and walk away. But that's a stretch.

{^_-}