[CentOS] selinux...

Rob Townley rob.townley at gmail.com
Wed Oct 7 17:18:16 UTC 2009 

On Wed, Oct 7, 2009 at 11:45 AM,  <m.roth at 5-cent.us> wrote:
>> Quoting m.roth at 5-cent.us:
>>
>>> Have I mentioned that I am less than enthralled with selinux?
>>>
>>> My latest issue is continuing messages in the /var/log/messages, which
>>> complain, for example, that siteminder can't write to smagent log (well,
>>> it can, since we've got selinux in permissive mode, and no, we have no
>>> control over using either siteminder or selinux).
>>>
>>> I've done what it says will solve the problem. A number of times.
>>> Discussing it with my manager, it seems as though selinux DOES NOT HAVE
>>> CORRECT ERROR HANDLING, and is falling through to a default error, and
>>> is
>>> *not* telling me the true cause.
>>
>> What is the error?
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
> Running sealert. let's start with...
> <snip>
> SELinux prevented httpd reading and writing access to http files. Ordinarily
> httpd is allowed full access to all files labeled with http file context.
> This
> machine has a tightened security policy with the httpd_unified turned off,
> this
> requires explicit labeling of all files. If a file is a cgi script it
> needs to
> <snip>
> and respond with
> # getsebool -a | grep unified
> httpd_unified --> on
>
> Then we can go to:
> <...> avc:  denied  { write } for  pid=5898 comm="LLAWP"
> path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever>
> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0
> tclass=file
>
> Do you need more info?
>
>         mark
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Don't know selinux.

when i have had init scripts write to new /var/log/ log files , i had
to change them to be system_t or it would fail.  Files under /tmp/ had
to have a special label as well.  So i wonder if you tried changing
the log file to the system_t context and it also fails.  Wouldn't it
have to have both the system and http context?  i went as far as
building se modules which is actually very easy when you find the few
instructions, but it had to rebuilt with each new kernel.

More information about the CentOS mailing list