On Sat, Jan 07, 2017 at 08:18:38PM -0800, jdow wrote:
> 
> Blanket disabling both of [selinux and iptables] at once, permanently is stupid beyond
> belief ...
>


And then there is the reality:

In el6 (and earlier), selinux was not functional and iptables were not enabled by default.

So I see el7 is a big improvement:

a) iptables/firewalld is enabled by default and is easy to manage. no reason to turn it off ever.
b) selinux is mostly functional except for obscure bugs.

So we go from 0-out-of-2 to 2-out-of-2, unless you have been burned and scarred
(but not fired) by the NFS server bug, that it is 1-out-of-2.


-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada