On Sun, Jan 08, 2017 at 04:30:06AM +0100, David Sommerseth wrote:
> On 06/01/17 23:56, Konstantin Olchanski wrote:
> > On Sat, Dec 31, 2016 at 04:28:04PM -0800, jdow wrote:
> >> ... new 7.2 machine.
> >> ... SELinux issues.
> >>
> > You *must* disable SELinux in CentOS-7.
> 
> *That* deserves the price for the worst advice in 2017.
>


David, you are ignoring the specific reasons why I say this.

a) "reboot with selinux disabled" has been the only way to delete
files from ZFS. May be fixed in the latest release of ZFS.

b) for the NFS server, you can run with SElinux as long as you manually
specifying unique "fsid" values in /etc/exports. This work around
is not widely known, not included in the documentation.

If these two bugs inspire confidence in selinux, sure, leave it enabled. A good example
of "medicine is as bad as the disease".

Personally, I am amazed that Red Hat, a server OS vendor, would have a continuing
bug where the NFS server is broken if SElinux is enabled. Today's quality standard
seems to be "but it works just fine on my laptop!".

P.S. For reference,

the NFS server bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1350927
https://bugzilla.redhat.com/show_bug.cgi?id=1326406
(originally reported last April, still not fixed)

the ZFS bug:
https://github.com/zfsonlinux/zfs/issues/4845
(it is reported as fixed in current release of ZFS,
I do not confirm yet due to lack of time, have bigger fish to fry
than debugging ZFS and SElinux).


-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada