On Fri, Dec 10, 2010 at 7:22 AM, Nicolas Ross <rossnick-lists@xxxxxxxxxxx> wrote: > Over the CentOS-users list there is a long on-going thread about SELinux. > Since it's introduction a while back, I alwasy disabled selinux because of > the added complexity and never took the time to learn it. > > For our soon to be production cluster of 8 nodes, I will be attempting to at > least set selinux at permissive to see how it works and learn it. Our > services are mostly of 3 type. Database server, apache server, our own > compile, and used in a non-standard locations and java servers, using the > default java, application and data directory on the gfs shared storage. > > So, for a cluster, using fencing, gfs, and all the needed tools to run a > cluster, is there any reason not to use selinux ? I am looking to see if > cluster operator use or do not use selinux... As far as RHCS (at least on 5) is concerned, there are notes that SELinux isn't supported. In other words those packages don't set labels properly or add policy modules that would be needed. Of course, that doesn't stop you from using audit2allow to "clean up" the denies you find while running in permissive (some denies will only show up during boot). I also locked myself out of the entire cluster once and had to use a kernel append option to disable selinux :-) I decided to run enforcing for greater defense in depth, but for the time being on everything except RHCS. For all my other boxes, I switch it to permissive before minor dist upgrades and then set each box back to enforcing after the next reboot without denies (I've been doing this since 5.3, when updates to the enforcing policy broke a bunch of labeling stuff and I was putting out fires since everything was in enforcing still). Eric -- Linux-cluster mailing list Linux-cluster@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/linux-cluster
