NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
Peter,Experience has shown that SELinux and LDM were not, in the past, friends. I'd also argue that, unless you're with NSA, it's likely not needed for most LDM machines. Enforcing SELinux has caused me all sorts of issues in the past, with few identifiable benefits.
I've used permissive mode in the past and decided it offered few benefits, and have abandoned it. I'm very careful with firewalls, and tend to restrict other operations on my LDM machines: My users don'g have accounts on my LDM machines, but by the magic of NFS, can access the data on other systems. I use LDM for a variety of things, including workflow management, so we're pretty careful about how we handle security.
I'll be glad to discuss this with you if you'd like. Regards, Gerry Peter Laws wrote:
On 04/16/10 15:06, Peter Laws wrote:in ldm's crontab. This doesn't appears to be running regularly, though, as the rolled logs have seemingly random times. Worse, they somehow get owned by root.Not LDM-related, as far as I can tell. Experimenting with SElinux. Put it into enforcing mode a few weeks ago after running it in permissive mode looking for errors. Never saw any errors in permissive, so set it to enforcing on the fly.You can do that, but evidently, it wasn't clean and a side effect was that syslog could 1) no longer write to /var/log/messages and 2) had no way of telling me that since ... well ... see #1.Couldn't figure out at first why syslog was not writing despite HUPping it and decided to patch/reboot. That's when it all became clear. Put it back in permissive mode after the reboot and am now getting the SElinux audit messages that I should have seen before.So, note to self, a reboot really is required to change SElinux levels even if you can echo stuff into /selinux/enforce.Thanks, as always, to Steve E for the troubleshooting help.
ldm-users archives: