<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
Filipe Brandenburger wrote:
<blockquote
cite="mid:e814db780901280946j4cfd46c4hcf9340eeb9666a5c@mail.gmail.com"
type="cite">
<pre wrap="">Hi,
2009/1/28 Rob Kampen <a class="moz-txt-link-rfc2396E" href="mailto:rkampen@kampensonline.com"><rkampen@kampensonline.com></a>:
</pre>
<blockquote type="cite">
<pre wrap="">I'm seeing this every hour when the hourly cron job runs
NULL security context for user, but SELinux in permissive mode, continuing
</pre>
</blockquote>
<pre wrap=""><!---->
Try to use "ps -Z" to see if all your processes have appropriate
security contexts. It's unlikely (impossible?) that one of them will
not have, but start with that anyway.
</pre>
</blockquote>
All OK<br>
<blockquote
cite="mid:e814db780901280946j4cfd46c4hcf9340eeb9666a5c@mail.gmail.com"
type="cite">
<pre wrap="">
Also you can use "ls -Z" to see if the files have security contexts or
not. Maybe start with "ls -Z /etc/cron*" and "ls -Z /var/spool/cron/"
to see if the files related to crontabs are covered.
Also have a look at what "semanage login -l" returns, in CentOS you
should have an entry for "__default__" pointing to "user_u" and one
for "root" pointing to "root".
</pre>
</blockquote>
All ok<br>
<blockquote
cite="mid:e814db780901280946j4cfd46c4hcf9340eeb9666a5c@mail.gmail.com"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">I've tried fixfiles but obviously I'm missing something....
</pre>
</blockquote>
<pre wrap=""><!---->
Sometimes fixfiles will not be able to do a thorough job if your
system is booted and running. It's preferrable to do "touch
/.autorelabel" and reboot the machine, that way "fixfiles" will run as
the only process in the machine and will be able to label all files
properly.
</pre>
</blockquote>
Last resort was the 'touch /.autorelabel' and reboot. This took nearly
an hour but once it came up all was well.<br>
Thanks for the pointers Filipe.<br>
At what point would it be safe to go to enforcing? What logs should I
be inspecting for warnings?<br>
I find SELinux real hard to get my head around, extensive reading and
still I don't get it clearly enough to where I understand it and feel
safe committing my business server to it. And when something like this
occurs and it takes the server down for an hour to clean it up.... not
really production ready. <br>
I'm getting ready to head for PCI-DSS audit and thought SELinux
enforcing would be a help......any comments from those with more
experience??<br>
<blockquote
cite="mid:e814db780901280946j4cfd46c4hcf9340eeb9666a5c@mail.gmail.com"
type="cite">
<pre wrap=""></pre>
<blockquote type="cite">
<pre wrap="">Any SELinux gurus that can point me in the right direction?
</pre>
</blockquote>
<pre wrap=""><!---->
Far from being a guru, but maybe the information above will be useful
for you to hunt the problem down.
HTH,
Filipe
_______________________________________________
CentOS mailing list
<a class="moz-txt-link-abbreviated" href="mailto:CentOS@centos.org">CentOS@centos.org</a>
<a class="moz-txt-link-freetext" href="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</a>
</pre>
</blockquote>
</body>
</html>