On 1/6/2012 7:13 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/06/2012 09:57 AM, Bennett Haselton wrote:
On 1/6/2012 5:55 AM, RILINDO FOSTER wrote:
On Jan 6, 2012, at 7:40 AM, Philippe Naudin wrote:
Le ven 06 jan 2012 04:21:14 CET, Bennett Haselton a écrit:
On 1/6/2012 4:11 AM, Philippe Naudin wrote:
Le ven 06 jan 2012 02:41:02 CET, Bennett Haselton a écrit:
> On 1/6/2012 2:24 AM, Philippe Naudin wrote: >> Apache running as "init_t" is a call for troubles. > Is it? OK, any idea what caused that and how to fix it? No, sorry. Your httpd comes from CentOS ?
Yes
Afaik, you should not have any process running in context init_t except init itself. If "ps awuxZ | grep [i]nit_t" returns more than only init and httpd, your problem is likely to be more complicated than a broken configuration of apache.
I've got a few...
[root@g6950-21025 ~]# ps auwxZ | grep init_t system_u:system_r:init_t root 1 0.6 0.0 10368 712 ? Ss 04:17 0:00 init [3]
system_u:system_r:init_t root 537 0.2 0.1 13728 1976 ? S<s 04:17 0:00 /sbin/udevd -d system_u:system_r:init_t root 1684 0.0 0.0 38880 456 ? Ssl 04:18 0:00 brcm_iscsiuio system_u:system_r:init_t root 1690 0.0 0.0 12152 476 ? Ss 04:18 0:00 iscsid system_u:system_r:init_t root 1691 0.0 0.4 12648 4460 ? S<Ls 04:18 0:00 iscsid system_u:system_r:init_t dbus 2081 0.0 0.1 31520 1144 ? Ssl 04:18 0:00 dbus-daemon --system system_u:system_r:init_t root 2215 0.0 0.1 52372 1492 ? Ssl 04:18 0:00 automount system_u:system_r:init_t root 2254 0.0 0.1 62656 1212 ? Ss 04:18 0:00 /usr/sbin/sshd system_u:system_r:init_t ntp 2273 0.0 0.4 23412 5044 ? SLs 04:18 0:00 ntpd -u ntp:ntp -p /var /run/ntpd.pid -g system_u:system_r:init_t root 2287 0.1 1.0 253312 10580 ? Ss 04:18 0:00 /usr/sbin/httpd system_u:system_r:init_t apache 2315 0.3 1.3 259488 13376 ? S 04:18 0:00 /usr/sbin/httpd system_u:system_r:init_t apache 2316 0.0 1.0 257436 11124 ? S 04:18 0:00 /usr/sbin/httpd system_u:system_r:init_t apache 2317 0.1 1.1 257436 11288 ? S 04:18 0:00 /usr/sbin/httpd system_u:system_r:init_t apache 2318 0.1 1.1 257436 11292 ? S 04:18 0:00 /usr/sbin/httpd system_u:system_r:init_t apache 2319 0.0 1.0 256720 10504 ? S 04:18 0:00 /usr/sbin/httpd system_u:system_r:init_t apache 2320 0.1 1.0 257436 10752 ? S 04:18 0:00 /usr/sbin/httpd system_u:system_r:init_t apache 2321 0.0 1.1 257436 11272 ? S 04:18 0:00 /usr/sbin/httpd system_u:system_r:init_t apache 2322 0.1 1.1 257436 11356 ? S 04:18 0:00 /usr/sbin/httpd system_u:system_r:init_t root 2386 0.0 0.0 3812 492 tty1 Ss+ 04:18 0:00 /sbin/mingetty tty1 system_u:system_r:init_t root 2387 0.0 0.0 3812 488 tty2 Ss+ 04:18 0:00 /sbin/mingetty tty2 system_u:system_r:init_t root 2390 0.0 0.0 3812 488 tty3 Ss+ 04:18 0:00 /sbin/mingetty tty3 system_u:system_r:init_t root 2392 0.0 0.0 3812 492 tty4 Ss+ 04:18 0:00 /sbin/mingetty tty4 system_u:system_r:init_t root 2394 0.0 0.0 3812 488 tty5 Ss+ 04:18 0:00 /sbin/mingetty tty5 system_u:system_r:init_t root 2397 0.0 0.0 3812 488 tty6 Ss+ 04:18 0:00 /sbin/mingetty tty6 system_u:system_r:init_t apache 2405 0.1 1.0 256412 11008 ? S 04:18 0:00 /usr/sbin/httpd system_u:system_r:init_t root 2406 0.3 0.3 90156 3456 ? Ss 04:18 0:00 sshd: root@pts/0 root:system_r:initrc_t:SystemLow-SystemHigh root 2458 0.0 0.0 61176 768 pts/0 S+ 04:18 0:00 grep init_t
I also found at least one file (the audit.log file) which has file type file_t, even though I thought the filesystem had been re-labeled successfully because /var/www/html/robots.txt had the correct type:
[root@g6950-21025 ~]# ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root system_u:object_r:httpd_sys_content_t /var/www/html/robots.txt [root@g6950-21025 ~]# ls -lZ /var/log/audit/audit.log -rw------- root root system_u:object_r:file_t /var/log/audit/audit.log
Any idea (1) what could be causing that and (2) whether it could be related to the problem with all those init_t processes?
It's easy : your init process is broken, all these daemons but init are mis-labeled, so all the files they create (such as log files) are mis-labeled.
And if the next question is "how to fix it ?", the answer is easy too : "I don't have any clue..."
Assuming that httpd came from CentOS, it should be appropriate relabeled. If not, using the semanage -f context would fix it.
Are you talking about changing the security context on the /usr/sbin/httpd file itself? What should it be set to? Right now it's [root@g6950-21025 ~]# ls -lZ /usr/sbin/httpd -rwxr-xr-x root root system_u:object_r:file_t /usr/sbin/httpd
This requires some thought. I'll respond back later.
Thanks! _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
What does
restorecon -R -v /usr/sbin
Say?
I ran that with the additional "-n" flag so it would just tell me what it *would* change (without actually changing anything) and it listed almost all the files in there (including httpd).
But then I tried something else first, the page at http://wiki.centos.org/HowTos/SELinux says that "if the system has been upgraded to CentOS-5.2 with SELinux disabled, and SELinux is then enabled", then the relabel will fail, and you have to run these three commands:
# genhomedircon # touch /.autorelabel # reboot
I tried that and it worked -- the httpd processes are now listed with "httpd_t" as their context, the /var/log/audit/audit.log file is listed with auditd_log_t as its type instead if file_t, etc.
I'm pretty sure this machine was never "upgraded to CentOS 5.2", it was just imaged with 5.7 when the hosting company set it up, but SELinux *was* off until I turned it on. So probably the doc should say, if the "system was *installed* with 5.2, then do this" (and presumably it's 5.2 or later, not just 5.2).
If this changes the label, then execute
fixfiles restore
Which should relabel the system.
If restorecon does nothing or prints error messages,
What file system are you using? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8HD6EACgkQrlYvE4MpobNGOwCgl9VK72f8XQbQVhL7IPHu5J6l kE4AoLBVPrjUduuboqfdgnNfEkrwMi2m =//xT -----END PGP SIGNATURE-----