On Fri, Feb 10, 2017 at 01:51:40PM +0100, David Sommerseth wrote:
> On 09/02/17 19:01, Konstantin Olchanski wrote:
> > Since I will learn selinux after I learn ldap after our current high-priority
> > project ships to CERN in September, I do not see any solution other than disabling
> > selinux until this is fixed (presumably by the EPEL package certbot incuding
> > correct selinux policy kludges).
> 
> If you can provide the the related "denied" lines from
> /var/log/audit/audit.log, I can definitely try to help you out.   In
> worst case just provide the last 200 denied lines, and we'll start from
> there.
> 

This information is in the bug reports I linked. I see nothing different from what others have reported.

>
> Manipulating the SELinux policy can be hard if you haven't done it
> before - but once you know the tools and understands the concept, it is
> fairly simple.
> 

Everything is easy. But there is only 24 hours in the day. I will not bore
you with my workplan for the next few months, but I will mention that "ensure selinux is activated
on all machines" has very low priority. A higher priority item is to "figure out replacement for NIS",
which is also very low priority, NIS still works okey, even in el7 and Ubuntu, thank you very much.

If the general direction of el7 Linux is "must have 100% full time admin", I am sure us busy people
will find some other linux to use.

-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada