This is more a CentOS issue, I think (hope) than selinux. I've got some systems in permissive mode - good thing, or they'd be dead. they keep spewing execmem errors with java, among other things. This *seems* like something that should be covered. I looked at the policy (selinux-policy-targeted, and it's 2.4.6. Googling around for the error, trying to find what's hopefully a boolean, or a role/etc solution, I saw an FC package with a 3.somethingorother release. Now, I don't know if that related to fedora, or if that relates to an selinux release.
Does anyone know? Are we, with CentOS, that far behind with something like this, which isn't even a port, but a policy?
mark, tired of crap in my logs
Does anyone know? Are we, with CentOS, that far behind with something like this, which isn't even a port, but a policy?
I dunno about CentOS but on Fedora I just look at the message in the log file (/var/log/messages IIRC) and it gives me a command to execute to view more details. When I do that, I get a window that comes up with a whole bunch of info, including a command I can use to permit this behavior from now on. Sometimes executing that command does not solve the issue, but usually there is a reasonably obvious way to tweak the command. If I can do it, anyone can. Because as far as selinux goes I know ZERO and am just fumbling around like a bull in a china shop. But I've been able to get that cruft out of my logs and allow stuff to work (on my desktop here at work)
Does anyone know? Are we, with CentOS, that far behind with something like this, which isn't even a port, but a policy?
I dunno about CentOS but on Fedora I just look at the message in the log file (/var/log/messages IIRC) and it gives me a command to execute to view more details. When I do that, I get a window that comes up with a whole bunch of info, including a command I can use to permit this behavior from now on. Sometimes executing that command does not solve the issue, but usually there is a reasonably obvious way to tweak the command. If I can do it, anyone can. Because as far as selinux goes I know ZERO and am just fumbling around like a bull in a china shop. But I've been able to get that cruft out of my logs and allow stuff to work (on my desktop here at work)
Yeah, I can use audit2allow. The trouble is that I don't know the ramifications of just adding that policy on an ad hoc basis - it might open it up for a real attack.
Plus, of course, selinux does *not* always tell you the truth... meaning, its error handling is *not* correct. I've posted several times here, and over in the selinux-fedora group, because we're stuck with CA's SiteMinder, and selinux would stop it from writing to its own logfile (apparently because the idiots at CA have the file opened for modify, rather than append)... but if I run the sealert for that, it claims I only need to set httpd_unified on, and that does NOT fix it.
mark
m.roth@5-cent.us wrote:
Does anyone know? Are we, with CentOS, that far behind with something like this, which isn't even a port, but a policy?
I dunno about CentOS but on Fedora I just look at the message in the log file (/var/log/messages IIRC) and it gives me a command to execute to view more details. When I do that, I get a window that comes up with a whole bunch of info, including a command I can use to permit this behavior from now on. Sometimes executing that command does not solve the issue, but usually there is a reasonably obvious way to tweak the command. If I can do it, anyone can. Because as far as selinux goes I know ZERO and am just fumbling around like a bull in a china shop. But I've been able to get that cruft out of my logs and allow stuff to work (on my desktop here at work)
Yeah, I can use audit2allow. The trouble is that I don't know the ramifications of just adding that policy on an ad hoc basis - it might open it up for a real attack.
Of course you should be cautious of opening up things you do not fully understand, but you're running in permissive mode meaning that you are already wide open from an SELinux perspective so adding a custom policy and putting SELinux back into enforcing mode isn't going to put you any more at risk other than maybe giving you some false sense of security.
m.roth@5-cent.us wrote:
Does anyone know? Are we, with CentOS, that far behind with something like this, which isn't even a port, but a policy?
I dunno about CentOS but on Fedora I just look at the message in the log file (/var/log/messages IIRC) and it gives me a command to execute to view more details. When I do that, I get a window that comes up
<snip>
Yeah, I can use audit2allow. The trouble is that I don't know the ramifications of just adding that policy on an ad hoc basis - it might open it up for a real attack.
Of course you should be cautious of opening up things you do not fully understand, but you're running in permissive mode meaning that you are already wide open from an SELinux perspective so adding a custom policy and putting SELinux back into enforcing mode isn't going to put you any more at risk other than maybe giving you some false sense of security.
Yes, but I have some systems that *do* have it enforcing, and some that are permissive are also production (as in, websites visible to the world), and I want to test my changes before I put them on the enforcing servers....
mark
-
Alan McKay -
m.roth@5-cent.us -
Ned Slider