On 03Jul2011 15:02, Paul Allen Newell <pnewell@xxxxxxxxxx> wrote: | On 7/3/2011 2:54 PM, Paul Morgan wrote: | >On Jul 3, 2011 5:38 PM, "Paul Allen Newell" <pnewell@xxxxxxxxxx | ><mailto:pnewell@xxxxxxxxxx>> wrote: | > | >it really is bad form to run a script out of root's home | >directory. A little untidy, sure. But... | Perhaps put it in /usr/sbin , restorecon, and leave | >selinux enforcing the whole time. I wouldn't do this. /usr/sbin et al are the vendor's filesystem space; they're free to put anything there and you may end up conflicting. Generally, ad hoc system owner scripts belong in /usr/local (usually /usr/local/bin for scripts/executables, or /usr/local/sbin for not-general-purpose-command executables), or in /opt/something, such as /opt/my-org-name/{bin,sbin,etc} as elsewhere, or in ~special_username/bin (for example, ~backup/bin for the backup scripts if you use the backup account for such stuff). | Yeah, a reflection on such makes sense. I'll have to see if I still | need setenforce=0 as I think the issue is rc.local executing the | script and not where the script is (and I have no basis for that | statement except for running the script as root directly works). Running it as root directly is post the login, which I think selinux endows with fewer constrictions. So it's not "where" so much as "when". The problem with "setenforce 0" is that it doesn't just affect stuff you're running from that script, it affects the whole system - selinux stops preventing _everything_ it would normally have. OTOH, at rc.local time there's pretty much nothing else happening - all the system daemons are up but probably idle and the login prompts haven't yet issued. So timingwise it is a good time to temporarily disable selinux. And regarding the "why does selinux log so much with setenforce 0": selinux isn't off, it is just in "permissive" mode - report all violations of the rules but don't prevent them. It is a debugging mode; the intent is that you correct your rules. You can also run the system with selinux genuinely off, though I think it may need a reboot once selinux has been started at all. Cheers, -- Cameron Simpson <cs@xxxxxxxxxx> DoD#743 http://www.cskk.ezoshosting.com/cs/ it seems like it's time to retire the length-of-sig-wasted-bandwidth flame. The point really is, News is BIG and .signatures, even long ones, are small. - Mark-Jason Dominus <mjd@xxxxxxxxxxxxxxxxxxxxx> -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
