Re: [lmi] zOMG SELinux

[Vadim Zeitlin]

On Wed, 19 Feb 2020 23:48:36 +0000 Greg Chicares <address@hidden> wrote:

GC> Yesterday, no dots in 'ls -l' output:
GC> 
GC>   /srv/chroot/lmi_bullseye_1[0]#ls -ld *
GC>   lrwxrwxrwx   1 root    lmi         7 Feb 17 15:31 bin -> usr/bin
GC>   drwxr-xr-x   2 root    root     4096 Jul  9  2019 boot
GC>             ^ no dots
GC> 
GC> Today, after an upgrade from RHEL-7.6 to 7.7:
GC> 
GC>   /srv/chroot/lmi_bullseye_1[0]#ls -ld *
GC>   lrwxrwxrwx.   1 root    root        7 Feb 19 15:53 bin -> usr/bin
GC>   drwxr-xr-x.   2 root    root     4096 Jul  9  2019 boot
GC>             ^ dots
GC> 
GC> so they've turned on SELinux.

 I'm rather surprised this has happened during a minor version OS upgrade.
I quickly tried to find any mention of this but couldn't. The release notes

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index

have many mentions of SELinux, but nothing about enabling it automatically.
So it looks like this was done intentionally by the system administrators,
which might indicate that they plan to switch it into enforcing note later.

GC> Well, kind of:
GC> 
GC>   $ getenforce
GC>   Permissive
GC> 
GC> But I've rerun this command since that change:
GC>   $sudo ./install_redhat.sh
GC> and the logs look just fine, so everything seems to be working.
GC> And
GC>   sudo grep "selinux" /var/log/messages
GC> shows no complaints about anything I've done so far.

 I don't think lmi should be affected by SELinux, which mostly/usually only
applies to the services/daemons.

GC> Should I anticipate problems? Is there anything I need to learn now?

 Unfortunately I don't know much about SELinux, so it's perfectly possible
that I'm not aware of some of its effects, but with the current state of my
knowledge/ignorance I'm tempted to answer "no" to both questions.

 Regards,
VZ

pgp3zw9Gco_1s.pgp
Description: PGP signature