LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2017

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2017

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Adventures with 7.2
From:	jdow <[log in to unmask]>
Reply To:	jdow <[log in to unmask]>
Date:	Mon, 9 Jan 2017 20:18:22 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (51 lines)

On 2017-01-09 16:04, Konstantin Olchanski wrote:
> On Sat, Jan 07, 2017 at 08:18:38PM -0800, jdow wrote:
>>
>> Blanket disabling both of [selinux and iptables] at once, permanently is stupid beyond
>> belief ...
>>
>
>
> And then there is the reality:
>
> In el6 (and earlier), selinux was not functional and iptables were not enabled by default.
>
> So I see el7 is a big improvement:
>
> a) iptables/firewalld is enabled by default and is easy to manage. no reason to turn it off ever.
> b) selinux is mostly functional except for obscure bugs.
>
> So we go from 0-out-of-2 to 2-out-of-2, unless you have been burned and scarred
> (but not fired) by the NFS server bug, that it is 1-out-of-2.

SELinux worked for me for quite awhile on 6.2 on up. Now, with 7 (and perhaps 
with 6) there are some problems I don't know enough to work around. I have a 
MESSY workaround in 6.x. I learned of what the files in /etc/dhcp/dhclient.d do. 
So I used that to update a manually generated iptables that has a trick on open 
ports that allow one login per 90 seconds (or whatever I set it to). That 
worked. A file named "iptables.sh" calls the real iptables script I have tucked 
away in /etc/sysconfig.

Now, all that works; but I have an email arrangement that uses "fetchmail" to 
pull mail down from my ISP. I've found in the past it seems to have problems 
when the IP address from the ISP changes. (Damnifinowhy) And I have to get it 
started in the first place. "RestartMail.sh" seemed like the perfectly logical 
place to make sure it starts.

RestartMail.sh at first tried to "sudo" to the appropriate account and run a 
start mail script there. Nope. Fetchmail could not save or manipulate it's pid 
file. Besides sudo would not reliably run. I tried "su -l user command". Nope. I 
seems to vary with the phase of the Moon or something whether su or sudo is even 
accepted in the script. And always "fetchmail -d 120" has trouble with its pid 
file. The semodules "trick" doesn't seem to work or stick around through reboots.

So, I have to fark around with crontab and a script that detects changed 
conditions so that fetchmail gets started properly.

Some REALLY good documentation for SELinux with some good drawings as well as a 
snow job of words would be worthwhile. I'm not holding my breath. I'm just 
working around the various SELinux imposed annoyances. I feel naked without it; 
but, it wears like a wool bikini - itchy and scratchy.

{o.o}

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV