On Sunday, September 2, 2012 12:33:49 AM UTC-5, Dan wrote: > > disabling selinux is never the solution > > On Sat, Sep 1, 2012 at 7:16 PM, purple grape <purple...@gmail.com<javascript:> > > wrote: > >> just disable selinux . >> >
Well, I do prefer to set selinux to non-enforcing mode instead of actually disabling it, but I don't suppose that's what you meant. As with anything security-related, it's all about risk and cost / benefit. If you don't have someone competent to do so managing your SELinux policy, then enforcing SELinux policy is likely to cost you a reduction in stability and periodic loss of functionality. Turning off policy enforcement or disabling SELinux altogether will be better choices for some people, but if that would represent an unacceptable risk for the particular machine in question, then your next best bet is to hire or train an SELinux policy manager. If you don't know pretty well how to manage SELinux policy, but you must nevertheless enforce it, then you are going to get your SELinux training the hard way, and chances are your site will feel the pain along with you. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/S1jEnH8JyqgJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
