Well, the thing is that SELinux often has effects that aren't
particularly obvious. After upgrading to F15 I found I couldn't log in
without disabling SELinux. At that point you can either try and fix
the problem or ignore it and carry on with SELinux disabled forever,
in doing the latter you haven't understood what's wrong or what other
problems might be involved.
Did you try putting it in permissive mode to see if you got any alerts?
Yes, I know that this is drifting off-topic, but it's also discussing
the difference between what I'm objecting to and doing something that
might eventually let you fix what's wrong.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-06-2012, 08:55 PM
Joe Zeff
Cargo Cult sysadmining
On 08/06/2012 01:47 PM, Steven Stern wrote:
I always start with SELINUX in permissive mode and run that way for a
couple of weeks while I monitor the messages.
Permissive mode; not disabled, and you monitor the messages. Just out
of curiosity, do you generally get some when you first install?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-06-2012, 08:59 PM
Steven Stern
Cargo Cult sysadmining
On 08/06/2012 03:55 PM, Joe Zeff wrote:
> On 08/06/2012 01:47 PM, Steven Stern wrote:
>> I always start with SELINUX in permissive mode and run that way for a
>> couple of weeks while I monitor the messages.
>
> Permissive mode; not disabled, and you monitor the messages. Just out
> of curiosity, do you generally get some when you first install?
I do, but they're generally my problem like copying stuff from ~ into
/var/www/html. Occasionally, something more serious. SELINUX has never
been completely clean for me.
On my public server, however, I did start with it in fully enabled mode.
--
-- Steve
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-06-2012, 09:04 PM
jdow
Cargo Cult sysadmining
On 2012/08/06 13:40, Ian Malone wrote:
On 6 August 2012 21:06, Joe Zeff <joe@zeff.us> wrote:
It looks like I may have created a new use of Cargo Cult, based on Cargo
Cult Programming. (http://en.wikipedia.org/wiki/Cargo_cult_programming,
http://foldoc.org/cargo+cult) My thought was that disabling SELinux as a
first step in troubleshooting any and every problem, even when there's no
evidence that it's involved was equivalent to natives in New Guinea creating
mockups of landing strips after WWII thinking that planes filled with cargo
would land there. Most of your suggestions, although bad ideas in and of
themselves, don't have this (to me) important quality: IMO, to be considered
cargo cult sysadminning, the practice must either have nothing to do with
the problem it's intended to fix (Disabling your firewall because sshd
doesn't start.) or is no longer relevant, such as most instances of
reflexive disabling of SELinux. YMMV, and probably does, but I did think
that I should put my original meaning for the term on the record.
Well, the thing is that SELinux often has effects that aren't
particularly obvious. After upgrading to F15 I found I couldn't log in
without disabling SELinux. At that point you can either try and fix
the problem or ignore it and carry on with SELinux disabled forever,
in doing the latter you haven't understood what's wrong or what other
problems might be involved.
SELinux permissive mode is a better diagnostic than simply turning it off,
too.
{o.o}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-06-2012, 09:05 PM
Joe Zeff
Cargo Cult sysadmining
On 08/06/2012 01:59 PM, Steven Stern wrote:
I do, but they're generally my problem like copying stuff from ~ into
/var/www/html. Occasionally, something more serious. SELINUX has never
been completely clean for me.
Which means, of course, that you have a good reason for starting out the
way you do. Not, IMAO, cargo cult.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-06-2012, 09:13 PM
Hakan Koseoglu
Cargo Cult sysadmining
On 6 August 2012 22:05, Joe Zeff <joe@zeff.us> wrote:
> Which means, of course, that you have a good reason for starting out the
> way you do. Not, IMAO, cargo cult.
There are plenty of reasons for disabling SELINUX (well, this one is
for RHEL actually but hey, see
http://docs.oracle.com/cd/E11882_01/relnotes.112/e23558/toc.htm#CJADHDFJ)
and they're valid. On the other hand, it should be set to permissive
as discussed. (On the other hand when I do that, I get mails from
various people about the "errors" in the logs). The hardest thing is
to teach people which errors/warnings to pay attention to and which
errors/warnings can be ignored reasonably. Unfortunately Oracle has
taken 11.1 documentation down, otherwise I could quote "disable
SELINUX" bit. (Thanks Oracle, you stopping supporting it doesn't mean
us real-world techies have stopped still using and battling with it).
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-06-2012, 09:43 PM
jdow
Cargo Cult sysadmining
On 2012/08/06 14:13, Hakan Koseoglu wrote:
On 6 August 2012 22:05, Joe Zeff <joe@zeff.us> wrote:
Which means, of course, that you have a good reason for starting out the
way you do. Not, IMAO, cargo cult.
There are plenty of reasons for disabling SELINUX (well, this one is
for RHEL actually but hey, see
http://docs.oracle.com/cd/E11882_01/relnotes.112/e23558/toc.htm#CJADHDFJ)
and they're valid. On the other hand, it should be set to permissive
as discussed. (On the other hand when I do that, I get mails from
various people about the "errors" in the logs). The hardest thing is
to teach people which errors/warnings to pay attention to and which
errors/warnings can be ignored reasonably. Unfortunately Oracle has
taken 11.1 documentation down, otherwise I could quote "disable
SELINUX" bit. (Thanks Oracle, you stopping supporting it doesn't mean
us real-world techies have stopped still using and battling with it).
Instead of telling people to ignore the logs figure out how to fix it.
I battled my install to a draw. I finally have exactly one error which
seems to be a cart and horse issue with the mce log. Everything else
has been cleaned up, usually by following the suggestions from SELinux
itself.
{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-06-2012, 10:25 PM
Joe Zeff
Cargo Cult sysadmining
On 08/06/2012 02:13 PM, Hakan Koseoglu wrote:
There are plenty of reasons for disabling SELINUX (well, this one is
for RHEL actually but hey, see
http://docs.oracle.com/cd/E11882_01/relnotes.112/e23558/toc.htm#CJADHDFJ)
and they're valid. On the other hand, it should be set to permissive
as discussed.
I'm not saying that there aren't. However, I've seen several cases
here, and more on fedoraforum where people have disabled SELinux because
some program's crashing, but there aren't any alerts, and then wondering
why it didn't magically fix the problem.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-07-2012, 02:17 AM
"Mikkel L. Ellertson"
Cargo Cult sysadmining
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/06/2012 03:38 PM, Joe Zeff wrote:
> On 08/06/2012 01:29 PM, Mateusz Marzantowicz wrote:
>> On 06.08.2012 15:52, Michael Cronenworth wrote:
>>> Tim wrote:
>>>> Just look at the feature list on the documentation, or
websites, and the
>>>> idiot admins will target them first. And, if you have a desktop
that
>>>> still has normal menus, look through the system admin items for
more
>>>> ideas.
>>> I can think of one item you missed from your list:
>>>
>>> Disable IPv6 (disabling it cures cancer!)
>>
>> OK, but what if I don't need it? You can say that it's harmless
etc. But
>> why the hell then, people recompile the kernel to disable other
unused
>> modules/features? Are they cargo cult sysadmins?
>>
>> Maybe it's not so bad idea to disable all unused pieces of
software in
>> your system?
>>
>
> IMAO, it all depends on why you're disabling it. Are you doing it
because you don't use it and don't ever expect to (Short-sighted, if
you ask me, but it's your box, not mine.) or are you disabling it to
avoid problems that it either doesn't cause or, at least, hasn't
caused in a long time?
Disabling it because the system you are compiling the kernel for
will not support the hardware. No need for SATA, PCI, or cardbus
stuff on a system that only has PCMCIA slots for expansion. You do
not need the USB drivers because it does not have, USB hardware, and
you can not find PCMCIA USB cards. (I have a cardbus USB card, but
that does not help.) But this is not something most people run into.
Compiling a kernel for a laptop will let you eliminate a lot of
drivers because you only have limited hardware changes...
A server that is not going to get hardware changes.
...
Mikkel
- --
Do not meddle in the affairs of dragons, for thou art crunchy and
taste good with Ketchup!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-07-2012, 03:05 AM
Michael Cronenworth
Cargo Cult sysadmining
On 08/06/2012 09:17 PM, Mikkel L. Ellertson wrote:
Compiling a kernel for a laptop will let you eliminate a lot of
drivers because you only have limited hardware changes...
This might have made since in 1999 when Linux was first getting started
and every byte mattered. However, today, with terabyte storage and 8GB
of RAM for less than $100 USD (each) this makes no sense at all. You're
just wasting your time. Not having modules or compiling in modules
provides zero performance benefit. Just FYI.
P.S. Perfect item to add to Tim's list.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Cargo Cult sysadmining
