-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/02/2010 06:34 PM, Jerry Franz wrote:
On 11/28/2010 09:31 AM, Benjamin Franz wrote:
[...] And then, one day, it won't work. Worse - it doesn't always *log* what it is doing in a way that you can figure out. Occasionally not at all. So you spend a few hours poking at the system until you try the magic of turning off SELinux. And then it starts working again.
My experience is that *unless you have a system configured exactly like the defaults*, SELinux is prone to suddenly deciding after an update that it doesn't like your configuration anymore. Once because an update to SELinux changed the labeling on an existing directory tree - blowing away my own applied labeling with no warning. And there are even RH supplied rpms that *do not work* with SELinux without being SELinux being tweaked first.
And in an exact example of this, today I needed to update some WordPress (WP) installations. Only, for "some reason" the FTP based autoupdater didn't work today.
You guessed it - SELinux had struck again. I have left SELinux active on this machine because I don't trust WP not to get hacked. I went out of my way to make the system as SELinux friendly as I could when I built it because of this. It has had SELinux active right from the start.
But something in the normal yum system updates or other routine system operation over the last several months apparently caused the system to mis-label part of the directory tree making it so that FTP (which is only allowed from the localhost to support WP updating) could no longer access some directory trees. No idea why: I'm the only person who has logged into the machine since March - and I only log in to run updates. It worked on April 26th - but not today.
My fix today? I temporarily disabled SELinux, ran the WP updates, touched /.autorelabel and rebooted the machine. And "mysteriously" the FTP problem is gone now. This isn't the first time this has happened on this machine.
If I wasn't so specifically paranoid about WP, SELinux would be disabled on this machine as well.
Did you take a look at the AVC messages? Are you running setroubleshoot?
Usually running something like restorecon -R -v /var/ftp would have cleaned this up, if it is a simple mislabel in /var directory.