An interesting topic ... heading out to cast vote now. In our environment, about 6 years ago we informally identified the gap (grey area, war, however it is described) between server / network managers and developers / Librarians as an obstacle to our end goals and have put considerable effort into closing it. The key efforts being communication (more planning, meetings, informal sessions), collaboration (no-one is working in a vacuum), and the willingness to expand/stretch job descriptions (programmers sometimes participate in hardware / OS work and sysadmins will attend interface / application planning meetings). Supportive management helps. The end result is that sysadmins try as hard as possible to fully understand what an application is doing/requires on "their" hardware/networks, and programmers almost never run any applications that sysadmins don't know about. So, SELinux has never been a problem because we know what a server needs to do before it ends up in a developer's hands and developers know not to pound their heads against the desk for a day before talking to sysadmins about something that doesn't work. Well, for the most part, anyway ;-) -Graham Ross Singer wrote: > On Tue, Nov 24, 2009 at 11:18 AM, Graham Stewart > <[log in to unmask]> wrote: >> We run many Library / web / database applications on RedHat servers with >> SELinux enabled. Sometimes it takes a bit of investigation and horsing >> around but I haven't yet found a situation where it had to be disabled. >> setsebool and chcon can solve most problems and SELinux is an excellent >> enhancement to standard filesystem and ACL security. > > Agreed that SELinux is useful but it is a tee-otal pain in the keister > if you're ignorantly working against it because you didn't actually > know it was there. > > It's sort of the perfect embodiment between the disconnect between the > developer and the sysadmin. And, if this sort of tension interests > you, vote for Bess Sadler's presentation at Code4lib 2010: "Vampires > vs. Werewolves: Ending the War Between Developers and Sysadmins with > Puppet" and anything else that interests you. > > http://vote.code4lib.org/election/index/13 > > -Ross "Bringin' it on home" Singer. -- Graham Stewart Network and Storage Services Manager, Information Technology Services University of Toronto Library 130 St. George Street Toronto, Ontario [log in to unmask] Canada M5S 1A5 Phone: 416-978-6337 | Mobile: 416-550-2806 | Fax: 416-978-1668