lagged at gmail.com
Tue Feb 21 05:59:30 CET 2017
This definitely isn't an SELinux issue on my end. I've also seen Varnish
work fine with SELinux (after policy updates as Dridi mentioned).
On Mon, Feb 20, 2017 at 4:43 PM, Dridi Boukelmoune <dridi at varni.sh> wrote:
> On Mon, Feb 20, 2017 at 11:25 PM, Daniel Parthey <pada at posteo.de> wrote:
> > It might be an SElinux Problem. Varnish 4.1.3 seems incompatible with the
> > default SELinux Rules on CentOS. We ran into problems with child workers
> > when selinux was enabled.
> I don't think it's related to SELinux. The main problem with
> CentOS/Red Hat/Fedora is the SELinux policy shipped by those
> distributions. They give very little margin and it becomes easy to
> make a change in your configuration that ends up rejected. At the
> same time conservative defaults give a smaller attack surface...
> > setenforce 0
> > service varnish restart
> > and for permanent boot-safe change:
> > /etc/sysconfig/selinux
> > selinux=disabled
> This is _not_ how you solve SELinux problems. You switch to
> permissive, collect audit logs while running offending software,
> update the policy and switch back to enforcing.
> > Might make varnish more stable.
> > Not sure why the default CentOS Policy (at least on CentOS 7) affect
> > master/child communications.
> It should not, I'd like to see evidence that this is happening. Please
> open a github issue on the pkg-varnish-cache project if you manage
> to reproduce it and let us know how.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the varnish-misc