LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2017

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2017

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: certbot letsencrypt renewal selinux borkage
From:	David Sommerseth <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Fri, 10 Feb 2017 22:40:43 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (55 lines)

On 10/02/17 18:12, Konstantin Olchanski wrote:
> On Fri, Feb 10, 2017 at 01:51:40PM +0100, David Sommerseth wrote:
>> On 09/02/17 19:01, Konstantin Olchanski wrote:
>>> Since I will learn selinux after I learn ldap after our current high-priority
>>> project ships to CERN in September, I do not see any solution other than disabling
>>> selinux until this is fixed (presumably by the EPEL package certbot incuding
>>> correct selinux policy kludges).
>>
>> If you can provide the the related "denied" lines from
>> /var/log/audit/audit.log, I can definitely try to help you out.   In
>> worst case just provide the last 200 denied lines, and we'll start from
>> there.
>>
> 
> This information is in the bug reports I linked. I see nothing
> different from what others have reported.

Some of the information yes ... but not all.  Some if it indicates that
the policy suggestion either is not enough, not activated properly or
that the file system needs to be properly labelled.

So if you put your system into permissive mode (setenforce 0), run the
certbot stuff via cron ... and grep out the denied lines, and I'll help.
 That is my offer.

>> Manipulating the SELinux policy can be hard if you haven't done it
>> before - but once you know the tools and understands the concept, it is
>> fairly simple.
>>
> 
> Everything is easy. But there is only 24 hours in the day. I will not bore
> you with my workplan for the next few months, but I will mention that "ensure selinux is activated
> on all machines" has very low priority. A higher priority item is to "figure out replacement for NIS",
> which is also very low priority, NIS still works okey, even in el7 and Ubuntu, thank you very much.

If SELinux have so low priority ... why waste time ranting about it here?

> If the general direction of el7 Linux is "must have 100% full time admin", I am sure us busy people
> will find some other linux to use.

Very productive.  Especially since "the direction of el7 Linux" isn't
even closely to be managed by this mailing list.  But I could also twist
your argument: If you're not willing to accept that the world is moving
on and you need to learn things, perhaps you should start doing
something else instead?

But by all means, if you only came here to rant ... just ignore my
willingness to help.

-- 
kind regards,

David Sommerseth

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV