I'm trying out aide since tripwire doesn't seem to be in the 5. releases anymore. I do not have Selinux on the server (no at installation), and I just yum installed the aide rpms, so I should have the latest.
When I run my aide --init, I get all of these lines for all the files:
lgetfilecon_raw failed for /usr/share/X11/app-defaults/XLogo:No data available
I then copy the 'new' db file to the regular db file and run aide --check, and it seems I get the above lines all over again. It's as though the db files aren't being read. I noticed in the preceding release of aide that problems existed and was related to Selinux and the inability to read gz files. Am I doing something obviously wrong? Do I need to do an --update or is this just when I get reports that something has changed after the --init?
Thanks for any help and replies.
Steve Campbell
On Wed, Apr 9, 2008 at 11:39 AM, Steve Campbell campbell@cnpapers.com wrote:
I'm trying out aide since tripwire doesn't seem to be in the 5. releases anymore. I do not have Selinux on the server (no at installation), and I just yum installed the aide rpms, so I should have the latest.
When I run my aide --init, I get all of these lines for all the files:
There's an aide how-to for centos5 here -> http://www.bofh-hunter.com/2007/12/04/centos-5-and-aide/
Jim Perrin wrote:
On Wed, Apr 9, 2008 at 11:39 AM, Steve Campbell campbell@cnpapers.com wrote:
I'm trying out aide since tripwire doesn't seem to be in the 5. releases anymore. I do not have Selinux on the server (no at installation), and I just yum installed the aide rpms, so I should have the latest.
When I run my aide --init, I get all of these lines for all the files:
There's an aide how-to for centos5 here -> http://www.bofh-hunter.com/2007/12/04/centos-5-and-aide/
Thanks Jim,
Believe it or not, that's what I started out with.
After running the entire --init/--check scenario again, I see in the log files and the output, that all files get this message, and a normal output of what should be there showing changed and unchanged files appear at the bottom of the log. So what is this "lgetfilecon_raw failed for" showing up for each file saying to me? Is it a verbosity setting, or something like that?
Thanks
steve
On Wed, Apr 9, 2008 at 12:03 PM, Steve Campbell campbell@cnpapers.com wrote:
Thanks Jim,
Believe it or not, that's what I started out with.
After running the entire --init/--check scenario again, I see in the log files and the output, that all files get this message, and a normal output of what should be there showing changed and unchanged files appear at the bottom of the log. So what is this "lgetfilecon_raw failed for" showing up for each file saying to me? Is it a verbosity setting, or something like that?
Mostly it's telling you that it can't get all the information about the files it's checking. Are you doing this as root? Are you certain that selinux is off? Have you modified any of the mount parameters with noexec or anything else?
Jim Perrin wrote:
On Wed, Apr 9, 2008 at 12:03 PM, Steve Campbell campbell@cnpapers.com wrote:
Thanks Jim,
Believe it or not, that's what I started out with.
After running the entire --init/--check scenario again, I see in the log files and the output, that all files get this message, and a normal output of what should be there showing changed and unchanged files appear at the bottom of the log. So what is this "lgetfilecon_raw failed for" showing up for each file saying to me? Is it a verbosity setting, or something like that?
Mostly it's telling you that it can't get all the information about the files it's checking. Are you doing this as root? Are you certain that selinux is off? Have you modified any of the mount parameters with noexec or anything else?
Jim,
Here's my mount list:
/dev/sda8 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/sda1 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) /dev/sda7 on /home type ext3 (rw) /dev/sda9 on /opt type ext3 (rw) /dev/sda5 on /tmp type ext3 (rw) /dev/sda3 on /usr type ext3 (rw) /dev/sdb1 on /usr/local type ext3 (rw) /dev/sda2 on /var type ext3 (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
I have one smb mounted for full system backups. This box is pretty vanilla, as we run Thunderstone search engine on it. I believe that is the only mods to the box after install, and I don't think it changed anything else.
The aide --v looks like:
Aide 0.13.1
Compiled with the following options:
WITH_MMAP WITH_POSIX_ACL WITH_SELINUX WITH_XATTR WITH_LSTAT64 WITH_READDIR64 WITH_GCRYPT WITH_AUDIT CONFIG_FILE = "/etc/aide.conf"
I ran the --init/--check with the default config originally, get the same output. I then tried "-selinux" on the options that included "+selinux" just for the hell of it. I don't know if that's ok or not. --check-config doesn't burp on it though.
My /etc/selinux/config file has SELINUX=disabled in it and always has.
At a loss, but thanks loads for the help and time.
steve
On 4/9/08, Steve Campbell campbell@cnpapers.com wrote:
I ran the --init/--check with the default config originally, get the same output. I then tried "-selinux" on the options that included "+selinux" just for the hell of it. I don't know if that's ok or not. --check-config doesn't burp on it though.
I don't think this is selinux failing so much as a normal grabbing of file info. Does it do this for all files, or just for the samba shares?
Jim Perrin wrote:
On 4/9/08, Steve Campbell campbell@cnpapers.com wrote:
I ran the --init/--check with the default config originally, get the same output. I then tried "-selinux" on the options that included "+selinux" just for the hell of it. I don't know if that's ok or not. --check-config doesn't burp on it though.
I don't think this is selinux failing so much as a normal grabbing of file info. Does it do this for all files, or just for the samba shares?
It doesn't check the samba shares at all, if I'm not mistaken. These are all normal, locally mounted drives on the normal mount points (/, /usr, home, /var and so forth)
steve
I think those errors are because selinux is off.
On Wed, 2008-04-09 at 12:12 -0400, Jim Perrin wrote:
On Wed, Apr 9, 2008 at 12:03 PM, Steve Campbell campbell@cnpapers.com wrote:
Thanks Jim,
Believe it or not, that's what I started out with.
After running the entire --init/--check scenario again, I see in the log files and the output, that all files get this message, and a normal output of what should be there showing changed and unchanged files appear at the bottom of the log. So what is this "lgetfilecon_raw failed for" showing up for each file saying to me? Is it a verbosity setting, or something like that?
Mostly it's telling you that it can't get all the information about the files it's checking. Are you doing this as root? Are you certain that selinux is off? Have you modified any of the mount parameters with noexec or anything else?
On Wed, Apr 9, 2008 at 3:08 PM, Marc Wiatrowski mwia@iglass.net wrote:
I think those errors are because selinux is off.
Hmm, I don't ever really turn selinux off, but I had always thought aide treated it as optional.
Could test by setting it to permissive and trying again. This would be interesting to test.
Jim Perrin wrote:
On Wed, Apr 9, 2008 at 3:08 PM, Marc Wiatrowski mwia@iglass.net wrote:
I think those errors are because selinux is off.
Hmm, I don't ever really turn selinux off, but I had always thought aide treated it as optional.
Could test by setting it to permissive and trying again. This would be interesting to test.
I'm not sure if a reboot is required or not. I set permissive in the config file and echoed 1 into /selinux/enforce and then tried firstly the --check, and then an --init. Both still show the faulty lines.
I will set it up properly and do a reboot tomorrow to see if it changes things, but for now, it doesn't.
steve
On 4/9/08, Steve Campbell campbell@cnpapers.com wrote:
Jim Perrin wrote:
On Wed, Apr 9, 2008 at 3:08 PM, Marc Wiatrowski mwia@iglass.net wrote:
I think those errors are because selinux is off.
Hmm, I don't ever really turn selinux off, but I had always thought aide treated it as optional.
Could test by setting it to permissive and trying again. This would be interesting to test.
I'm not sure if a reboot is required or not. I set permissive in the config file and echoed 1 into /selinux/enforce and then tried firstly the --check, and then an --init. Both still show the faulty lines.
I will set it up properly and do a reboot tomorrow to see if it changes things, but for now, it doesn't.
steve
Hi there
It is probably worth doing "touch /.autorelabel" before the reboot as nothing will have really changed with the above actions
this will force relabelling of your fs after the reboot and may give you the context info that you require
mike
Michael Simpson wrote:
On 4/9/08, Steve Campbell campbell@cnpapers.com wrote:
Jim Perrin wrote:
On Wed, Apr 9, 2008 at 3:08 PM, Marc Wiatrowski mwia@iglass.net wrote:
I think those errors are because selinux is off.
Hmm, I don't ever really turn selinux off, but I had always thought aide treated it as optional.
Could test by setting it to permissive and trying again. This would be interesting to test.
I'm not sure if a reboot is required or not. I set permissive in the config file and echoed 1 into /selinux/enforce and then tried firstly the --check, and then an --init. Both still show the faulty lines.
I will set it up properly and do a reboot tomorrow to see if it changes things, but for now, it doesn't.
steve
Hi there
It is probably worth doing "touch /.autorelabel" before the reboot as nothing will have really changed with the above actions
this will force relabelling of your fs after the reboot and may give you the context info that you require
mike
Thanks Mike,
I'm not sure I can do the reboot today as I have had to put the server into a temporary production status.
The thing that is sort of bothering me, though, is that so much trouble occurs because of selinux when trying to use aide RPMs. Might I not try and generate my own rpms without selinux support or just compile from source? Is there a way I can disable the selinux stuff when using the Centos rpms? I'm still not hearing a definitive answer that selinux is the culprit here and modifying filesystems for a test is a little extreme.
I appreciate the help so far, though, and don't mean to sound ungrateful.
steve
On Thursday 10 April 2008 13:51:02 Steve Campbell wrote:
Michael Simpson wrote:
On 4/9/08, Steve Campbell campbell@cnpapers.com wrote:
Jim Perrin wrote:
On Wed, Apr 9, 2008 at 3:08 PM, Marc Wiatrowski mwia@iglass.net wrote:
I think those errors are because selinux is off.
Hmm, I don't ever really turn selinux off, but I had always thought aide treated it as optional.
Could test by setting it to permissive and trying again. This would be interesting to test.
I'm not sure if a reboot is required or not. I set permissive in the config file and echoed 1 into /selinux/enforce and then tried firstly the --check, and then an --init. Both still show the faulty lines.
I will set it up properly and do a reboot tomorrow to see if it changes things, but for now, it doesn't.
steve
Hi there
It is probably worth doing "touch /.autorelabel" before the reboot as nothing will have really changed with the above actions
this will force relabelling of your fs after the reboot and may give you the context info that you require
mike
Thanks Mike,
I'm not sure I can do the reboot today as I have had to put the server into a temporary production status.
The thing that is sort of bothering me, though, is that so much trouble occurs because of selinux when trying to use aide RPMs. Might I not try and generate my own rpms without selinux support or just compile from source? Is there a way I can disable the selinux stuff when using the Centos rpms? I'm still not hearing a definitive answer that selinux is the culprit here and modifying filesystems for a test is a little extreme.
I appreciate the help so far, though, and don't mean to sound ungrateful.
steve
Like yourself I'm thinking of moving from tripwire to aide on our production servers this summer. So I have an interest in this working ;-)
First check your selinux setup with sestatus. That will tell you whether it is in enforcing or permissive mode or even disabled.
If it's permissive or disabled them selinux wouldn't appear to be your problem as then it shouldn't stop anything from working.
If it's in enforcing mode then maybe it is.
If it's in enforcing or permissive mode then it will put its error messages in /var/log/audit/audit.log
Check there for AVC messages from aide.
Regards,
Tony.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, Apr 10, 2008 at 8:51 AM, Steve Campbell campbell@cnpapers.com wrote:
Thanks Mike,
I'm not sure I can do the reboot today as I have had to put the server into a temporary production status.
The thing that is sort of bothering me, though, is that so much trouble occurs because of selinux when trying to use aide RPMs. Might I not try and generate my own rpms without selinux support or just compile from source? Is there a way I can disable the selinux stuff when using the Centos rpms? I'm still not hearing a definitive answer that selinux is the culprit here and modifying filesystems for a test is a little extreme.
I appreciate the help so far, though, and don't mean to sound ungrateful.
Give me an hour or so. I'm testing with selinux off, and in permissive mode. Hopefully I'll be able to duplicate what you're getting, and fix it. I've got a spare blade to test this on, so that's how I'm spending the next few minutes.
Jim Perrin wrote:
On Thu, Apr 10, 2008 at 8:51 AM, Steve Campbell campbell@cnpapers.com wrote:
Thanks Mike,
I'm not sure I can do the reboot today as I have had to put the server into a temporary production status.
The thing that is sort of bothering me, though, is that so much trouble occurs because of selinux when trying to use aide RPMs. Might I not try and generate my own rpms without selinux support or just compile from source? Is there a way I can disable the selinux stuff when using the Centos rpms? I'm still not hearing a definitive answer that selinux is the culprit here and modifying filesystems for a test is a little extreme.
I appreciate the help so far, though, and don't mean to sound ungrateful.
Give me an hour or so. I'm testing with selinux off, and in permissive mode. Hopefully I'll be able to duplicate what you're getting, and fix it. I've got a spare blade to test this on, so that's how I'm spending the next few minutes.
Tony and Jim,
sestatus reports disabled. Thanks for the help on the test, Jim.
steve
On Thu, Apr 10, 2008 at 9:24 AM, Steve Campbell campbell@cnpapers.com wrote:
Tony and Jim,
sestatus reports disabled. Thanks for the help on the test, Jim.
Okay, so here's the deal. The default aide.conf checks the selinux bits. If you need to have selinux off (not really recommended, but it's your box) and you still want aide to watch over your files, you need to remove the selinux requirements from /etc/aide.conf. I've gone ahead and done up a config file which is identical to the default with selinux bits removed. Grab the file from http://www.bofh-hunter.com/downloads/aide.conf or use the diff below against the default config:
--- aide.conf.bak 2008-04-10 04:37:18.000000000 -0400 +++ aide.conf 2008-04-10 05:16:09.000000000 -0400 @@ -61,27 +61,27 @@ # ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger # Everything but access time (Ie. all changes) -EVERYTHING = R+ALLXTRAHASHES +EVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHES
# Sane, with multiple hashes # NORMAL = R+rmd160+sha256+whirlpool -NORMAL = R+rmd160+sha256 +NORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256
# For directories, don't bother doing hashes -DIR = p+i+n+u+g+acl+selinux+xattrs +DIR = p+i+n+u+g+acl+xattrs
# Access control only -PERMS = p+i+u+g+acl+selinux +PERMS = p+i+u+g+acl
# Logfile are special, in that they often change -LOG = > +LOG = p+u+g+i+n+S+acl+xattrs
# Just do md5 and sha256 hashes -LSPP = R+sha256 +LSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256
# Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger +DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
# Next decide what directories/files you want in the database.
Jim Perrin wrote:
On Thu, Apr 10, 2008 at 9:24 AM, Steve Campbell campbell@cnpapers.com wrote:
Tony and Jim,
sestatus reports disabled. Thanks for the help on the test, Jim.
Okay, so here's the deal. The default aide.conf checks the selinux bits. If you need to have selinux off (not really recommended, but it's your box) and you still want aide to watch over your files, you need to remove the selinux requirements from /etc/aide.conf. I've gone ahead and done up a config file which is identical to the default with selinux bits removed. Grab the file from http://www.bofh-hunter.com/downloads/aide.conf or use the diff below against the default config:
--- aide.conf.bak 2008-04-10 04:37:18.000000000 -0400 +++ aide.conf 2008-04-10 05:16:09.000000000 -0400 @@ -61,27 +61,27 @@ # ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger # Everything but access time (Ie. all changes) -EVERYTHING = R+ALLXTRAHASHES +EVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHES
# Sane, with multiple hashes # NORMAL = R+rmd160+sha256+whirlpool -NORMAL = R+rmd160+sha256 +NORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256
# For directories, don't bother doing hashes -DIR = p+i+n+u+g+acl+selinux+xattrs +DIR = p+i+n+u+g+acl+xattrs
# Access control only -PERMS = p+i+u+g+acl+selinux +PERMS = p+i+u+g+acl
# Logfile are special, in that they often change -LOG = > +LOG = p+u+g+i+n+S+acl+xattrs
# Just do md5 and sha256 hashes -LSPP = R+sha256 +LSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256
# Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger +DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
# Next decide what directories/files you want in the database.
Jim,
I tried the new config file - the downloaded one - and it still gives me the errors. I then went through and removed the xattr options on all of them with no luck still. I have not ran the --check yet.
OK, so what if I enable permissive mode just to get the extra attributes on all the files, and do all the stuff needed to relabel the files. Will I see any difference in what I have other than the extended attributes. Since this server will go full time production real soon, I don't want to cause any surprises for me or the users, and I don't have the time to learn selinux admin and configuration in a short time either. I know, that sounds lazy, but I just have a full plate at the moment, sorry.
Thanks for all your time. I really do appreciated the fact you're educating me.
steve
On Thu, Apr 10, 2008 at 11:26 AM, Steve Campbell campbell@cnpapers.com wrote:
I tried the new config file - the downloaded one - and it still gives me the errors. I then went through and removed the xattr options on all of them with no luck still. I have not ran the --check yet.
Did you remove the existing db from /var/lib/aide/ ? Is selinux still off/disabled?
Thanks for all your time. I really do appreciated the fact you're educating me.
No worries. I needed to add that bit to my aide page anyway. So far I've pretty well completely ignored folks with selinux disabled.
Jim Perrin wrote:
On Thu, Apr 10, 2008 at 11:26 AM, Steve Campbell campbell@cnpapers.com wrote:
I tried the new config file - the downloaded one - and it still gives me the errors. I then went through and removed the xattr options on all of them with no luck still. I have not ran the --check yet.
Did you remove the existing db from /var/lib/aide/ ? Is selinux still off/disabled?
No, I didn't. But after I did, and reran --init, I am not seeing the errors. I was under the impression that --init didn't care what was in a previous db file, and that it was creating a new one. I'll run this to completion, and fix it to match the system, then let you know the final (hopefully) results.
Thanks again.
steve
Thanks for all your time. I really do appreciated the fact you're educating me.
No worries. I needed to add that bit to my aide page anyway. So far I've pretty well completely ignored folks with selinux disabled.
Sorry, I goof on the last test. I named your downloaded file .config instead of .conf. I was getting it mixed up with the selinux config file.
Slow brain today.
Looks like it would have worked with just the --init.
steve
Jim Perrin wrote:
On Thu, Apr 10, 2008 at 11:26 AM, Steve Campbell campbell@cnpapers.com wrote:
I tried the new config file - the downloaded one - and it still gives me the errors. I then went through and removed the xattr options on all of them with no luck still. I have not ran the --check yet.
Did you remove the existing db from /var/lib/aide/ ? Is selinux still off/disabled?
Thanks for all your time. I really do appreciated the fact you're educating me.
No worries. I needed to add that bit to my aide page anyway. So far I've pretty well completely ignored folks with selinux disabled.
On 4/10/08, Steve Campbell campbell@cnpapers.com wrote:
Jim,
I tried the new config file - the downloaded one - and it still gives me the errors. I then went through and removed the xattr options on all of them with no luck still. I have not ran the --check yet.
OK, so what if I enable permissive mode just to get the extra attributes on all the files, and do all the stuff needed to relabel the files. Will I see any difference in what I have other than the extended attributes. Since this server will go full time production real soon, I don't want to cause any surprises for me or the users, and I don't have the time to learn selinux admin and configuration in a short time either. I know, that sounds lazy, but I just have a full plate at the moment, sorry.
Thanks for all your time. I really do appreciated the fact you're educating me.
steve
Hi Steve
I always used to disable selinux until ~3 months ago i now have selinux enabled but set on permissive for my dev servers and enforcing on production i have several servers at home where i went from disabled to permissive with no problems. YMMV
there will be no difference to your filesystem other than the extended attributes being applied
you can see the change using the -Z switch for commands like ls and ps.
you should have no problems at all
i also use auditd to collect the AVCs that permissive generates
Russell Coker's root-as-guest user play machine demo just kinda blew me away conceptually.
mike
Thanks all for the assistance. I'm going to put the machine into full production today (a necessity). I'll reconfigure the system and hope for the best. As it is now, AIDE is working fine.
steve
Michael Simpson wrote:
On 4/10/08, Steve Campbell campbell@cnpapers.com wrote:
Jim,
I tried the new config file - the downloaded one - and it still gives me the errors. I then went through and removed the xattr options on all of them with no luck still. I have not ran the --check yet.
OK, so what if I enable permissive mode just to get the extra attributes on all the files, and do all the stuff needed to relabel the files. Will I see any difference in what I have other than the extended attributes. Since this server will go full time production real soon, I don't want to cause any surprises for me or the users, and I don't have the time to learn selinux admin and configuration in a short time either. I know, that sounds lazy, but I just have a full plate at the moment, sorry.
Thanks for all your time. I really do appreciated the fact you're educating me.
steve
Hi Steve
I always used to disable selinux until ~3 months ago i now have selinux enabled but set on permissive for my dev servers and enforcing on production i have several servers at home where i went from disabled to permissive with no problems. YMMV
there will be no difference to your filesystem other than the extended attributes being applied
you can see the change using the -Z switch for commands like ls and ps.
you should have no problems at all
i also use auditd to collect the AVCs that permissive generates
Russell Coker's root-as-guest user play machine demo just kinda blew me away conceptually.
mike _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, Apr 11, 2008 at 8:35 AM, Steve Campbell campbell@cnpapers.com wrote:
Thanks all for the assistance. I'm going to put the machine into full production today (a necessity). I'll reconfigure the system and hope for the best. As it is now, AIDE is working fine.
Hey, gave me a chance to learn a little more about aide too!
On Thu, Apr 10, 2008 at 8:51 AM, Steve Campbell campbell@cnpapers.com wrote:
I'm not sure I can do the reboot today as I have had to put the server into a temporary production status.
Well, this is infact selinux related.
Test 1 reports: [root@test ~]# getenforce Permissive [root@test ~]# aide --init
AIDE, version 0.13.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
Test 2 reports: [root@test ~]# getenforce Disabled [root@test ~]# aide --init lgetfilecon_raw failed for /etc/smartd.conf:No data available lgetfilecon_raw failed for /etc/lvm/cache/.cache:No data available lgetfilecon_raw failed for /etc/blkid/blkid.tab.old:No data available lgetfilecon_raw failed for /etc/blkid/blkid.tab:No data available lgetfilecon_raw failed for /var/log/nagios/status.dat:No data available
So I was wrong, it does require selinux to at least be in permissive mode to complete without error. I'm currently checking now to see if aide still generates a usable db with selinux off.
On 4/10/08, Steve Campbell campbell@cnpapers.com wrote:
Thanks Mike,
I'm not sure I can do the reboot today as I have had to put the server into a temporary production status.
The thing that is sort of bothering me, though, is that so much trouble occurs because of selinux when trying to use aide RPMs. Might I not try and generate my own rpms without selinux support or just compile from source? Is there a way I can disable the selinux stuff when using the Centos rpms? I'm still not hearing a definitive answer that selinux is the culprit here and modifying filesystems for a test is a little extreme.
I appreciate the help so far, though, and don't mean to sound ungrateful.
steve
Hi Steve
i see what you mean
http://bugs.centos.org/view.php?id=1973
This was meant to be sorted by aide 0.13.1. I suppose that aide is just going that wee bit further with regards to security by checking for changes in selinux file contexts
If a file (or process / object) has its context changed then it could signify an attack especially if you are running the box in enforcing mode.
I had thought that aide had been patched to allow for null contexts if compiled to look for them.
I just changed from running selinux in disabled mode on my production systems to running with selinux enabled (initially in permissive mode to check for problems then moving to enforcing once the wrinkles were ironed out).
My main reason for doing so is that we are developing a electronic patient record for the nhs. I think selinux is fantastic
http://www.coker.com.au/selinux/play.html
still not hearing a definitive answer that selinux is the culprit here and modifying filesystems for a test is a little extreme.
it's more about adding extended attributes to the existing filesystem
mike
-
Jim Perrin -
Marc Wiatrowski -
Michael Simpson -
Steve Campbell -
Tony Molloy