[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Linux-cluster] To SELinux or not to SELinux ?



On Fri, Dec 10, 2010 at 7:22 AM, Nicolas Ross
<rossnick-lists cybercat ca> wrote:
> Over the CentOS-users list there is a long on-going thread about SELinux.
> Since it's introduction a while back, I alwasy disabled selinux because of
> the added complexity and never took the time to learn it.
>
> For our soon to be production cluster of 8 nodes, I will be attempting to at
> least set selinux at permissive to see how it works and learn it. Our
> services are mostly of 3 type. Database server, apache server, our own
> compile, and used in a non-standard locations and java servers, using the
> default java, application and data directory on the gfs shared storage.
>
> So, for a cluster, using fencing, gfs, and all the needed tools to run a
> cluster, is there any reason not to use selinux ? I am looking to see if
> cluster operator use or do not use selinux...

As far as RHCS (at least on 5) is concerned, there are notes that
SELinux isn't supported.  In other words those packages don't set
labels properly or add policy modules that would be needed.  Of
course, that doesn't stop you from using audit2allow to "clean up" the
denies you find while running in permissive (some denies will only
show up during boot).  I also locked myself out of the entire cluster
once and had to use a kernel append option to disable selinux :-)

I decided to run enforcing for greater defense in depth, but for the
time being on everything except RHCS.  For all my other boxes, I
switch it to permissive before minor dist upgrades and then set each
box back to enforcing after the next reboot without denies (I've been
doing this since 5.3, when updates to the enforcing policy broke a
bunch of labeling stuff and I was putting out fires since everything
was in enforcing still).

Eric


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]