If it maters, I'll add my voice. Quick aside, my day job for the past 15+
years has been an IT security engineer/consultant..it's my job to be
paranoid and tell clients what to do and not to do..so it pains me when I
say....
Do _NOT_ use SELinux on a server unless it is a multi-user system (eg:
multiple different people login and peform functions on it in a realtime
basis). Given that an LDM server should be sitting over in a closet with no
logins on it other than the administrator(s). There is no need for SELinux.
It will just make your life more difficult while adding a layer of
protection you don't need. Instead, take the base OS, harden it using
whatever tools/techniques you have, turn off everything but SSH and LDM (and
enable other things as needed, apache, etc) and you'll be good to go. A
properly configured and hardened box is 100x more important than running
SELinux.
-Tyler
AllisonHouse LLC
On Tue, Apr 20, 2010 at 12:43 PM, Dan Vietor <devo@xxxxxxxxxxxxx> wrote:
> On Mon, 2010-04-19 at 17:33 -0500, Gerry Creager wrote:
>
> Peter,
>
> Experience has shown that SELinux and LDM were not, in the past,
> friends. I'd also argue that, unless you're with NSA, it's likely not
> needed for most LDM machines. Enforcing SELinux has caused me all sorts
> of issues in the past, with few identifiable benefits.
>
>
> I'll second that. SELinux is OK for a desktop system (email, web, word
> processing) or a file server but it is unusable for most other
> applications. At least now, there is a way to configure it to allow
> certain things but getting that to work can be painful. I find if you're
> not making the computer publicly accessible (i.e. remote login from the
> world), you don't need that level of security. So why go through the pain
> to try and enable SELinux.
>
>
> ------------------------------
>
>
> *Daniel Vietor* *Mail:* devo@xxxxxxxxxxxxx Unisys Corp
> *Title:*Engineer/Meteorologist 2476 Swedesford Rd
> *Phone:* 610-648-3623 Malvern PA 19355 *Fax:* 610-695-5524
>
> _______________________________________________
> ldm-users mailing list
> ldm-users@xxxxxxxxxxxxxxxx
> For list information or to unsubscribe, visit:
> http://www.unidata.ucar.edu/mailing_lists/
>
