[CentOS] SELinux - null security context

Thu Jan 29 04:00:31 UTC 2009
Rob Kampen <rkampen at kampensonline.com>


Filipe Brandenburger wrote:
> Hi,
>
> 2009/1/28 Rob Kampen <rkampen at kampensonline.com>:
>   
>> I'm seeing this every hour when the hourly cron job runs
>> NULL security context for user, but SELinux in permissive mode, continuing
>>     
>
> Try to use "ps -Z" to see if all your processes have appropriate
> security contexts. It's unlikely (impossible?) that one of them will
> not have, but start with that anyway.
>   
All OK
> Also you can use "ls -Z" to see if the files have security contexts or
> not. Maybe start with "ls -Z /etc/cron*" and "ls -Z /var/spool/cron/"
> to see if the files related to crontabs are covered.
>
> Also have a look at what "semanage login -l" returns, in CentOS you
> should have an entry for "__default__" pointing to "user_u" and one
> for "root" pointing to "root".
>   
All ok
>   
>> I've tried fixfiles but obviously I'm missing something....
>>     
>
> Sometimes fixfiles will not be able to do a thorough job if your
> system is booted and running. It's preferrable to do "touch
> /.autorelabel" and reboot the machine, that way "fixfiles" will run as
> the only process in the machine and will be able to label all files
> properly.
>
>   
Last resort was the 'touch /.autorelabel' and reboot. This took nearly 
an hour but once it came up all was well.
Thanks for the pointers Filipe.
At what point would it be safe to go to enforcing? What logs should I be 
inspecting for warnings?
I find SELinux real hard to get my head around, extensive reading and 
still I don't get it clearly enough to where I understand it and feel 
safe committing my business server to it. And when something like this 
occurs and it takes the server down for an hour to clean it up.... not 
really production ready.
I'm getting ready to head for PCI-DSS audit and thought SELinux 
enforcing would be a help......any comments from those with more 
experience??
>> Any SELinux gurus that can point me in the right direction?
>>     
>
> Far from being a guru, but maybe the information above will be useful
> for you to hunt the problem down.
>
> HTH,
> Filipe
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20090128/5496bfd0/attachment-0005.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rkampen.vcf
Type: text/x-vcard
Size: 125 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20090128/5496bfd0/attachment-0005.vcf>