Peter,
Experience has shown that SELinux and LDM were not, in the past,
friends. I'd also argue that, unless you're with NSA, it's likely not
needed for most LDM machines. Enforcing SELinux has caused me all sorts
of issues in the past, with few identifiable benefits.
I've used permissive mode in the past and decided it offered few
benefits, and have abandoned it. I'm very careful with firewalls, and
tend to restrict other operations on my LDM machines: My users don'g
have accounts on my LDM machines, but by the magic of NFS, can access
the data on other systems. I use LDM for a variety of things, including
workflow management, so we're pretty careful about how we handle security.
I'll be glad to discuss this with you if you'd like.
Regards, Gerry
Peter Laws wrote:
On 04/16/10 15:06, Peter Laws wrote:
in ldm's crontab. This doesn't appears to be running regularly, though,
as the rolled logs have seemingly random times. Worse, they somehow get
owned by root.
Not LDM-related, as far as I can tell. Experimenting with SElinux. Put
it into enforcing mode a few weeks ago after running it in permissive
mode looking for errors. Never saw any errors in permissive, so set it
to enforcing on the fly.
You can do that, but evidently, it wasn't clean and a side effect was
that syslog could 1) no longer write to /var/log/messages and 2) had no
way of telling me that since ... well ... see #1.
Couldn't figure out at first why syslog was not writing despite HUPping
it and decided to patch/reboot. That's when it all became clear. Put
it back in permissive mode after the reboot and am now getting the
SElinux audit messages that I should have seen before.
So, note to self, a reboot really is required to change SElinux levels
even if you can echo stuff into /selinux/enforce.
Thanks, as always, to Steve E for the troubleshooting help.
