Re: [CentOS] CentOS 7 SELinux issue
On Thu, Feb 25, 2016 at 12:34 AM, Frank Cox wrote: > Turns out you get the "Could not downgrade policy file > /etc/selinux/targeted/policy/policy.24" error if you're running with SELinux > disabled and something tries to install or reload policy: semodule -vR does > it. This is why if anyone is opposed to running SELinux it should be left in permissive mode. Brandon Vincent ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7 SELinux issue
On 02/25/2016 07:23 AM, Brandon Vincent wrote: On Thu, Feb 25, 2016 at 12:34 AM, Frank Cox wrote: Turns out you get the "Could not downgrade policy file /etc/selinux/targeted/policy/policy.24" error if you're running with SELinux disabled and something tries to install or reload policy: semodule -vR does it. This is why if anyone is opposed to running SELinux it should be left in permissive mode. Even in permissive mode you still incur the system overhead cost (7% performance hit, last I read) and the excessive logging. And don't even get me started about having /tmp mounted on a tmpfs filesystem! :-) There are good reasons to prefer disabled over permissive if you've sure you won't need to re-enable SELinux later. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPtables block user from outbound ICMP
On Thu, 2016-02-25 at 07:19 +, James Hogarth wrote: > Well if you really want to call it a problem... Blocking ICMP via a host > based firewall remains pretty silly. On all servers I used IPtables to block (DROP) all incoming ICMPs except:- type 0 state RELATED,ESTABLISHED type 3 state RELATED,ESTABLISHED type 8 state NEW,RELATED,ESTABLISHED type 11 state RELATED,ESTABLISHED All outgoing ICMPs are blocked except for:- type 0 state RELATED,ESTABLISHED type 8 state NEW,RELATED,ESTABLISHED Am I silly too ;-) -- Regards, Paul. England, EU. England's place is in the European Union. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
