Subject: | |
From: | |
Reply To: | |
Date: | Mon, 9 Jan 2017 20:18:22 -0800 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 2017-01-09 16:04, Konstantin Olchanski wrote:
> On Sat, Jan 07, 2017 at 08:18:38PM -0800, jdow wrote:
>>
>> Blanket disabling both of [selinux and iptables] at once, permanently is stupid beyond
>> belief ...
>>
>
>
> And then there is the reality:
>
> In el6 (and earlier), selinux was not functional and iptables were not enabled by default.
>
> So I see el7 is a big improvement:
>
> a) iptables/firewalld is enabled by default and is easy to manage. no reason to turn it off ever.
> b) selinux is mostly functional except for obscure bugs.
>
> So we go from 0-out-of-2 to 2-out-of-2, unless you have been burned and scarred
> (but not fired) by the NFS server bug, that it is 1-out-of-2.
SELinux worked for me for quite awhile on 6.2 on up. Now, with 7 (and perhaps
with 6) there are some problems I don't know enough to work around. I have a
MESSY workaround in 6.x. I learned of what the files in /etc/dhcp/dhclient.d do.
So I used that to update a manually generated iptables that has a trick on open
ports that allow one login per 90 seconds (or whatever I set it to). That
worked. A file named "iptables.sh" calls the real iptables script I have tucked
away in /etc/sysconfig.
Now, all that works; but I have an email arrangement that uses "fetchmail" to
pull mail down from my ISP. I've found in the past it seems to have problems
when the IP address from the ISP changes. (Damnifinowhy) And I have to get it
started in the first place. "RestartMail.sh" seemed like the perfectly logical
place to make sure it starts.
RestartMail.sh at first tried to "sudo" to the appropriate account and run a
start mail script there. Nope. Fetchmail could not save or manipulate it's pid
file. Besides sudo would not reliably run. I tried "su -l user command". Nope. I
seems to vary with the phase of the Moon or something whether su or sudo is even
accepted in the script. And always "fetchmail -d 120" has trouble with its pid
file. The semodules "trick" doesn't seem to work or stick around through reboots.
So, I have to fark around with crontab and a script that detects changed
conditions so that fetchmail gets started properly.
Some REALLY good documentation for SELinux with some good drawings as well as a
snow job of words would be worthwhile. I'm not holding my breath. I'm just
working around the various SELinux imposed annoyances. I feel naked without it;
but, it wears like a wool bikini - itchy and scratchy.
{o.o}
|
|
|