Hi Guys, My google foo is failing me this afternoon. Just configuring a new C6 install. I know there are SELinux alerts happening, eg: I know I need to enable named to write to the local .jnl file as part of dynamic DNS, but sealert -b is not listing any alerts. I can see raw audit messages. Is there some daemon I have forgotten to start or install?
Thanks
Ken
Hello Ken Try this " <search term > site:danwalsh.livejournal.com" in your searches. Also this is a good book http://www.amazon.com/SELinux-Example-Using-Security-Enhanced/dp/0131963694/...
This is the best I can do as I don't understand. What message? Could you post it? If its bind, did you check iptables?
All the best Paul
On 22 July 2013 15:41, Ken Smith kens@kensnet.org wrote:
Hi Guys, My google foo is failing me this afternoon. Just configuring a new C6 install. I know there are SELinux alerts happening, eg: I know I need to enable named to write to the local .jnl file as part of dynamic DNS, but sealert -b is not listing any alerts. I can see raw audit messages. Is there some daemon I have forgotten to start or install?
Thanks
Ken
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/22/2013 10:55 AM, Paul Norton wrote:
Hello Ken Try this " <search term > site:danwalsh.livejournal.com" in your searches. Also this is a good book http://www.amazon.com/SELinux-Example-Using-Security-Enhanced/dp/0131963694/...
This is the best I can do as I don't understand. What message? Could you post it? If its bind, did you check iptables?
All the best Paul
On 22 July 2013 15:41, Ken Smith kens@kensnet.org wrote:
Hi Guys, My google foo is failing me this afternoon. Just configuring a new C6 install. I know there are SELinux alerts happening, eg: I know I need to enable named to write to the local .jnl file as part of dynamic DNS, but sealert -b is not listing any alerts. I can see raw audit messages. Is there some daemon I have forgotten to start or install?
Thanks
Ken
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
auditd?
On 07/22/2013 07:41 AM, Ken Smith wrote:
Hi Guys, My google foo is failing me this afternoon. Just configuring a new C6 install. I know there are SELinux alerts happening, eg: I know I need to enable named to write to the local .jnl file as part of dynamic DNS, but sealert -b is not listing any alerts. I can see raw audit messages. Is there some daemon I have forgotten to start or install?
If you don't see AVCs logged and suspect that SELinux is causing you problems anyway, enable all logging:
semodule -BD
http://fedoraproject.org/wiki/SELinux/Troubleshooting
If you don't see AVCs in the log, then SELinux isn't denying access.
Normally if files are created in /var/named/dynamic, then the SELinux context will already be set correctly.
Gordon Messmer wrote:
On 07/22/2013 07:41 AM, Ken Smith wrote:
Hi Guys, My google foo is failing me this afternoon. Just configuring a new C6 install. I know there are SELinux alerts happening, eg: I know I need to enable named to write to the local .jnl file as part of dynamic DNS, but sealert -b is not listing any alerts. I can see raw audit messages. Is there some daemon I have forgotten to start or install?
If you don't see AVCs logged and suspect that SELinux is causing you problems anyway, enable all logging:
semodule -BD
http://fedoraproject.org/wiki/SELinux/Troubleshooting
If you don't see AVCs in the log, then SELinux isn't denying access.
Normally if files are created in /var/named/dynamic, then the SELinux context will already be set correctly. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
For some reason auditd wasn't running or enabled. I'm now seeing the messages I needed in /var/log/messages. I'm running bind chrooted and various other tweeks mean I need to set SELinux accordingly.
Thanks
Ken
On 23 Jul 2013 07:42, "Ken Smith" kens@kensnet.org wrote:
For some reason auditd wasn't running or enabled. I'm now seeing the messages I needed in /var/log/messages. I'm running bind chrooted and various other tweeks mean I need to set SELinux accordingly.
Bind chroot via the standard chroot package should just with with selinux...
Be careful that you don't just follow the audit.log blindly (eg audit2allow -aM) but think through each but carefully...
I'd suggest starting for each exception with "is this already covered by a boolean" and then double checking your file contexts before even considering an additional custom module.
James Hogarth wrote:
On 23 Jul 2013 07:42, "Ken Smith"kens@kensnet.org wrote:
For some reason auditd wasn't running or enabled. I'm now seeing the messages I needed in /var/log/messages. I'm running bind chrooted and various other tweeks mean I need to set SELinux accordingly.
Bind chroot via the standard chroot package should just with with selinux...
Be careful that you don't just follow the audit.log blindly (eg audit2allow -aM) but think through each but carefully...
I'd suggest starting for each exception with "is this already covered by a boolean" and then double checking your file contexts before even considering an additional custom module.
For some reason SELinux was blocking the updates to the zone files that are the result of DHCP leases being issued. Fixed now. Also I run MailScanner and the SELinux context needed corrected on mqueue.in, in addition to allowing SSH to operate on the non-standard port I've set it to.
Thanks
Ken
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/23/2013 07:15 AM, Ken Smith wrote:
James Hogarth wrote:
On 23 Jul 2013 07:42, "Ken Smith"kens@kensnet.org wrote:
For some reason auditd wasn't running or enabled. I'm now seeing the messages I needed in /var/log/messages. I'm running bind chrooted and various other tweeks mean I need to set SELinux accordingly.
Bind chroot via the standard chroot package should just with with selinux...
Be careful that you don't just follow the audit.log blindly (eg audit2allow -aM) but think through each but carefully...
I'd suggest starting for each exception with "is this already covered by a boolean" and then double checking your file contexts before even considering an additional custom module.
For some reason SELinux was blocking the updates to the zone files that are the result of DHCP leases being issued. Fixed now. Also I run MailScanner and the SELinux context needed corrected on mqueue.in, in addition to allowing SSH to operate on the non-standard port I've set it to.
Thanks
Ken
named_write_master_zones boolean?
-
Daniel J Walsh -
Gordon Messmer -
James Hogarth -
Ken Smith -
Paul Norton