I did a complete clean install of CentOS 5 from CD yesterday. I took the default selinux configuration.
After that I ran yum update and found 600 plus updates and installs. I let it go to do the updates and during that process I saw a large number of issues in the selinux troubleshooter.
I also see these kinds of things in /var/log/messages:
**Unmatched Entries** (Only first 10 out of 49031 are printed) audit: audit_backlog=262 > audit_backlog_limit=256 audit: audit_lost=1 audit_rate_limit=0 audit_backlog_limit=256 audit: backlog limit exceeded audit: audit_backlog=262 > audit_backlog_limit=256 audit: audit_lost=2 audit_rate_limit=0 audit_backlog_limit=256 audit: backlog limit exceeded . . .
This makes me wonder if I've now got a corrupt system because of partial installs/upgrades on a number of packages ?
Do I need to start over with a clean install again, and how do I avoid this problem the next time I try to run updates after the install?
thanks, -chuck
Chuck Campbell wrote:
I did a complete clean install of CentOS 5 from CD yesterday. I took the default selinux configuration.
After that I ran yum update and found 600 plus updates and installs.
That's a lot of updates. Do you really mean CentOS 5 rather than 5.2?
I let it go to do the updates and during that process I saw a large number of issues in the selinux troubleshooter.
I also see these kinds of things in /var/log/messages:
**Unmatched Entries** (Only first 10 out of 49031 are printed) audit: audit_backlog=262 > audit_backlog_limit=256 audit: audit_lost=1 audit_rate_limit=0 audit_backlog_limit=256 audit: backlog limit exceeded audit: audit_backlog=262 > audit_backlog_limit=256 audit: audit_lost=2 audit_rate_limit=0 audit_backlog_limit=256 audit: backlog limit exceeded . . .
This makes me wonder if I've now got a corrupt system because of partial installs/upgrades on a number of packages ?
Do I need to start over with a clean install again, and how do I avoid this problem the next time I try to run updates after the install?
Could try putting selinux in permissive mode, or disabling, before updating - then restoring to the more secure level; however, that should not be necessary.
Phil
Chuck Campbell wrote:
I did a complete clean install of CentOS 5 from CD yesterday.
If you really updated from 5.0 to 5.2 ...
I took the default selinux configuratio **Unmatched Entries** (Only first 10 out of 49031 are printed) audit: audit_backlog=262 > audit_backlog_limit=256 audit: audit_lost=1 audit_rate_limit=0 audit_backlog_limit=256 audit: backlog limit exceeded audit: audit_backlog=262 > audit_backlog_limit=256 audit: audit_lost=2 audit_rate_limit=0 audit_backlog_limit=256 audit: backlog limit exceeded
... then please do a "touch /.autorelabel" and reboot - this will take some time, because SELinux will relabel your file system.
Cheers,
Ralph
On Thu, Mar 5, 2009 at 3:09 AM, Chuck Campbell campbell@accelinc.com wrote:
Do I need to start over with a clean install again, and how do I avoid this problem the next time I try to run updates after the install?
Just my noob opinion, that if there's no practical and definitive benefit from enabling SELinux, for the time being until it is matured, the best thing to do is just set it to off. Otherwise, it just generally causes trouble and runs up tons of log as it is.
I'd love to be enlightened on this though :)
On Fri, 6 Mar 2009, Noob Centos Admin wrote:
Just my noob opinion, that if there's no practical and definitive benefit from enabling SELinux, for the time being until it is matured, the best thing to do is just set it to off. Otherwise, it just generally causes trouble and runs up tons of log as it is.
I'd love to be enlightened on this though :)
There are VERY definitive benefits to running SELinux. The best description I've found is that it is like an iron cage on the inside of a window. Even if something gets past the glass, its still inside a window. I've had SELinux stop exploits against php scripts on production servers. It is also a great training tool for teaching you what "common practices" you've picked up are a bad idea (ie, cp'ing stuff around as root).
That said, it does generate some very obtuse log messages (the deciphering of which will teach you even more).
---------------------------------------------------------------------- Jim Wildman, CISSP, RHCE jim@rossberry.com http://www.rossberry.com "Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one." Thomas Paine
On Fri, Mar 6, 2009 at 4:06 AM, Jim Wildman jim@rossberry.com wrote:
There are VERY definitive benefits to running SELinux. The best description I've found is that it is like an iron cage on the inside of a window. Even if something gets past the glass, its still inside a window. I've had SELinux stop exploits against php scripts on production servers.
On my first Centos (5.0) box, that was what I thought. SELinux sounded like a fantastic idea. Until all it does is clog up the log and bog down the system, I had to kill/mangle setroubleshoot before the system became responsive again. Hence in the end, it did not seem to provide any practical benefits.
It is also a great training tool for teaching you what "common practices" you've picked up are a bad idea (ie, cp'ing stuff around as root).
Darn! :D
What would be the recommended practise for moving files own by a different user to another user if not via su and cp/mv?
That said, it does generate some very obtuse log messages (the deciphering of which will teach you even more).
Any difficult learning process naturally will teach more. However, when you're pressed for time to get something working and that is only a supplementary role (administrating the box) to your primary task, very often it's just easier and faster to make do with what works.
Clients, unfortunately, very often do not appreciate invisible efforts/benefits. Kind of like feeling you were trying to rip them off for specing that "redundant" raid gizmo, until the drive actually crashes. :(
On Thu, Mar 5, 2009 at 2:58 PM, Noob Centos Admin centos.admin@gmail.com wrote:
Just my noob opinion, that if there's no practical and definitive benefit from enabling SELinux, for the time being until it is matured, the best thing to do is just set it to off. Otherwise, it just generally causes trouble and runs up tons of log as it is.
I'd love to be enlightened on this though :)
Real world example -> http://www.linuxjournal.com/article/9176
SELinux stopped a mambo exploit from compromising the system. For LAMP systems, selinux and mod_security are pretty much a requirement for a secure setup.
On Fri, Mar 6, 2009 at 5:38 AM, Jim Perrin jperrin@gmail.com wrote:
Real world example -> http://www.linuxjournal.com/article/9176
SELinux stopped a mambo exploit from compromising the system. For LAMP systems, selinux and mod_security are pretty much a requirement for a secure setup.
Thanks for the link, it's giving me incentive to just grit my teeth to try to chew and swallow SELinux on the next publicly accessible setup.
-
Chuck Campbell -
Jim Perrin -
Jim Wildman -
Noob Centos Admin -
Phil Schaffner -
Ralph Angenendt -
Sean Kennedy