[Linux-cluster] To SELinux or not to SELinux ?

Colin Simpson Colin.Simpson at iongeo.com
Fri Dec 10 17:04:37 UTC 2010 

I seem to now be supported on RHEL 6 according to the Cluster Admin
Guide.


Colin


On Fri, 2010-12-10 at 16:37 +0000, Eric Searcy wrote:
> On Fri, Dec 10, 2010 at 7:22 AM, Nicolas Ross
> <rossnick-lists at cybercat.ca> wrote:
> > Over the CentOS-users list there is a long on-going thread about
> SELinux.
> > Since it's introduction a while back, I alwasy disabled selinux
> because of
> > the added complexity and never took the time to learn it.
> >
> > For our soon to be production cluster of 8 nodes, I will be
> attempting to at
> > least set selinux at permissive to see how it works and learn it.
> Our
> > services are mostly of 3 type. Database server, apache server, our
> own
> > compile, and used in a non-standard locations and java servers,
> using the
> > default java, application and data directory on the gfs shared
> storage.
> >
> > So, for a cluster, using fencing, gfs, and all the needed tools to
> run a
> > cluster, is there any reason not to use selinux ? I am looking to
> see if
> > cluster operator use or do not use selinux...
> 
> As far as RHCS (at least on 5) is concerned, there are notes that
> SELinux isn't supported.  In other words those packages don't set
> labels properly or add policy modules that would be needed.  Of
> course, that doesn't stop you from using audit2allow to "clean up" the
> denies you find while running in permissive (some denies will only
> show up during boot).  I also locked myself out of the entire cluster
> once and had to use a kernel append option to disable selinux :-)
> 
> I decided to run enforcing for greater defense in depth, but for the
> time being on everything except RHCS.  For all my other boxes, I
> switch it to permissive before minor dist upgrades and then set each
> box back to enforcing after the next reboot without denies (I've been
> doing this since 5.3, when updates to the enforcing policy broke a
> bunch of labeling stuff and I was putting out fires since everything
> was in enforcing still).
> 
> Eric
> 
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster
> 
> 

This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed.  If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.

More information about the Linux-cluster mailing list