On 1/7/2012 6:25 PM, Gordon Messmer wrote:
On 01/06/2012 01:36 AM, Bennett Haselton wrote:
So I still don't know: after creating /.autorelabel (and verifying that it's there), and rebooting the system (and then verifying that the /.autorelabel file has been deleted, which is supposed to mean the auto-relabel actually happened), why am I still seeing the file type listed as file_t?
Either SELinux is disabled or your filesystem doesn't support extended attributes.
[root@g6950-21025 ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 21 Policy from config file: targeted
(same thing happens if I switch to "enforcing", although then things start breaking instead of logging warnings)
Check /proc/cmdline to see if the kernel was instructed to disable SELinux
[root@g6950-21025 ~]# cat /proc/cmdline ro root=/dev/sys-0n1f/root
Not sure what that means but I assume it doesn't force SELinux to be disabled.
and check /etc/sysconfig/selinux.
[root@g6950-21025 ~]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted [root@g6950-21025 ~]#
Note: SELinux is logging warnings (while in permissive mode) to /var/log/audit/audit.log whenever httpd interacts with one of the files like /tmp/hostname_SKYSLICE.INFO . Presumably that means it's not disabled; SELinux is on, but the file still hasn't been relabeled.
Check /proc/mounts to see what filesystem type your system is using.
[root@g6950-21025 ~]# cat /proc/mounts rootfs / rootfs rw 0 0 /dev/root / ext3 rw,data=ordered 0 0 /dev /dev tmpfs rw 0 0 /proc /proc proc rw 0 0 /sys /sys sysfs rw 0 0 none /selinux selinuxfs rw 0 0 /proc/bus/usb /proc/bus/usb usbfs rw 0 0 devpts /dev/pts devpts rw 0 0 /dev/sys-0n1f/vartmp /var/tmp ext3 rw,nosuid,noexec,data=ordered 0 0 /dev/sys-0n1f/tmp /tmp ext3 rw,nosuid,noexec,data=ordered 0 0 /dev/sda1 /boot ext3 rw,data=ordered 0 0 tmpfs /dev/shm tmpfs rw,nosuid,noexec 0 0 none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0 /etc/auto.misc /misc autofs rw,fd=7,pgrp=2217,timeout=300,minproto=5,maxproto=5,indirect 0 0 -hosts /net autofs rw,fd=13,pgrp=2217,timeout=300,minproto=5,maxproto=5,indirect 0 0
Use "tune2fs -l" to see if an ext3/4 filesystem has the "user_xattr" option. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
In the output above, /dev/root /dev/sys-0n1f/vartmp /dev/sys-0n1f/tmp /dev/sda1
were all listed as ext3, and when I ran "tune2fs -l" on each of them, the output included the line Default mount options: user_xattr acl
Bennett