I just came across a user who tried to view a Word document on a CentOS5 machine, and it seems that desktop, firefox etc. are trying to view it with Scribus instead of OpenOffice.
This needs to change. Is there a system-wide setting for it?
On the older, RHEL3 systems we used to have mozplugger, but it's not available in the standard CentOS repositories or rpmforge. What are we supposed to use now? I have one CentOS box here that has mozplugger installed, but I don't know where that came from, it's not in the yum log files.
lhecking@users.sourceforge.net wrote:
I just came across a user who tried to view a Word document on a CentOS5 machine, and it seems that desktop, firefox etc. are trying to view it with Scribus instead of OpenOffice.
This needs to change. Is there a system-wide setting for it?
On the older, RHEL3 systems we used to have mozplugger, but it's not available in the standard CentOS repositories or rpmforge. What are we supposed to use now? I have one CentOS box here that has mozplugger installed, but I don't know where that came from, it's not in the yum log files.
Hi,
Not sure if this is what you need, but if you are using KDE there is a place to setup file association. It is under the Control Center. Not sure about with Gnome, but there should be someway to do it. Try Googleing for file association with Gnome.
HTH. Lee Perez
Have I mentioned that I am less than enthralled with selinux?
My latest issue is continuing messages in the /var/log/messages, which complain, for example, that siteminder can't write to smagent log (well, it can, since we've got selinux in permissive mode, and no, we have no control over using either siteminder or selinux).
I've done what it says will solve the problem. A number of times. Discussing it with my manager, it seems as though selinux DOES NOT HAVE CORRECT ERROR HANDLING, and is falling through to a default error, and is *not* telling me the true cause.
Anyone else seen this? Clues for the poor? (And please, if you're going to say anything about getting rid of either, just don't: as I said, we have *zero* control over what the security people, or upper management, demand.)
mark
Quoting m.roth@5-cent.us:
Have I mentioned that I am less than enthralled with selinux?
My latest issue is continuing messages in the /var/log/messages, which complain, for example, that siteminder can't write to smagent log (well, it can, since we've got selinux in permissive mode, and no, we have no control over using either siteminder or selinux).
I've done what it says will solve the problem. A number of times. Discussing it with my manager, it seems as though selinux DOES NOT HAVE CORRECT ERROR HANDLING, and is falling through to a default error, and is *not* telling me the true cause.
What is the error?
Quoting m.roth@5-cent.us:
Have I mentioned that I am less than enthralled with selinux?
My latest issue is continuing messages in the /var/log/messages, which complain, for example, that siteminder can't write to smagent log (well, it can, since we've got selinux in permissive mode, and no, we have no control over using either siteminder or selinux).
I've done what it says will solve the problem. A number of times. Discussing it with my manager, it seems as though selinux DOES NOT HAVE CORRECT ERROR HANDLING, and is falling through to a default error, and is *not* telling me the true cause.
What is the error? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Running sealert. let's start with... <snip> SELinux prevented httpd reading and writing access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the httpd_unified turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to <snip> and respond with # getsebool -a | grep unified httpd_unified --> on
Then we can go to: <...> avc: denied { write } for pid=5898 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0 tclass=file
Do you need more info?
mark
On Wed, Oct 7, 2009 at 11:45 AM, m.roth@5-cent.us wrote:
Quoting m.roth@5-cent.us:
Have I mentioned that I am less than enthralled with selinux?
My latest issue is continuing messages in the /var/log/messages, which complain, for example, that siteminder can't write to smagent log (well, it can, since we've got selinux in permissive mode, and no, we have no control over using either siteminder or selinux).
I've done what it says will solve the problem. A number of times. Discussing it with my manager, it seems as though selinux DOES NOT HAVE CORRECT ERROR HANDLING, and is falling through to a default error, and is *not* telling me the true cause.
What is the error? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Running sealert. let's start with...
<snip> SELinux prevented httpd reading and writing access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the httpd_unified turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to <snip> and respond with # getsebool -a | grep unified httpd_unified --> on
Then we can go to: <...> avc: denied { write } for pid=5898 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0 tclass=file
Do you need more info?
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Don't know selinux.
when i have had init scripts write to new /var/log/ log files , i had to change them to be system_t or it would fail. Files under /tmp/ had to have a special label as well. So i wonder if you tried changing the log file to the system_t context and it also fails. Wouldn't it have to have both the system and http context? i went as far as building se modules which is actually very easy when you find the few instructions, but it had to rebuilt with each new kernel.
On Wed, Oct 7, 2009 at 11:45 AM, m.roth@5-cent.us wrote:
Quoting m.roth@5-cent.us:
Have I mentioned that I am less than enthralled with selinux?
My latest issue is continuing messages in the /var/log/messages, which complain, for example, that siteminder can't write to smagent log
<snip>
Then we can go to: <...> avc: denied { write } for pid=5898 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0 tclass=file
Don't know selinux.
Wish I didn't have to....
when i have had init scripts write to new /var/log/ log files , i had to change them to be system_t or it would fail. Files under /tmp/ had to have a special label as well. So i wonder if you tried changing the log file to the system_t context and it also fails. Wouldn't it have to have both the system and http context? i went as far as
I've set the role, user, and context of both LLAWP (siteminder), and the logfile, identical to another server that does *not* complain.
You begin to see my frustration, esp. when I have to skim through logs that have a dozen, or two dozen, of these (and others) every hour, to find other more important messages. <snip> mark
m.roth@5-cent.us wrote:
You begin to see my frustration, esp. when I have to skim through logs that have a dozen, or two dozen, of these (and others) every hour, to find other more important messages.
How about log filtering? Since your in such a high security environment to need SELinux I can't imagine you don't have some sort of log management tool such as Splunk or something similar. I'm still in the midst of a Splunk deployment and have it stripping a bunch of useless stuff out of the logs, also have syslog-ng dropping a ton of useless crap as well.
I used to manage a pair of Siteminder systems several years ago, your email got me curious and I poked around to see if they were still alive, and yes they are and still running the good 'ol Apache 1.3.27 probably on RHEL 2.1 still! Funny they haven't upgraded it, it's not like they process credit cards or anything, oh wait..they do. oh well! Not my problem:)
nate
m.roth@5-cent.us wrote:
You begin to see my frustration, esp. when I have to skim through logs that have a dozen, or two dozen, of these (and others) every hour, to find other more important messages.
How about log filtering? Since your in such a high security environment to need SELinux I can't imagine you don't have some sort of log management tool such as Splunk or something
I've never used it, though I know of it. I'd have to convince my manager, and I dunno if he'd have to convince his boss or not.... And I don't know how the security group feels about that. (And before you say more, I'll tell you that I work for a contractor for the feds.)
Hell, I'd love to be able to pipe the freakin' logs through grep <g>
similar. I'm still in the midst of a Splunk deployment and have it stripping a bunch of useless stuff out of the logs,
At some point, I want to *solve* the problem, and make it Go Away forever. <snip>
I used to manage a pair of Siteminder systems several years ago, your email got me curious and I poked around to see if they were still alive, and yes they are and still running the good 'ol Apache 1.3.27 probably on RHEL 2.1 still! Funny they haven't upgraded it, it's not like they process credit cards or anything, oh wait..they do. oh well! Not my problem:)
Um, yeah, well, probably fairly soon, the card companies will come down on them like a ton of bricks. The first four months of this year, I was on a contract for a major provider of managed security services, including pen testing, for the card industry (as well as being a root CA), and I'll tell you that a *lot* of small merchants are going to wind up paying large companies to do their card processing, within a year or two, and that stuff that old will fail the pen testers, and they'll be scrambling to upgrade (so you might have more work from them, if you're interested...)
mark
Then we can go to: <...> avc: denied { write } for pid=5898 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0 tclass=file
When selinux is configured for permissive mode, the action is permitted, but selinux still logs a denial message -- if the mode is set to "enforcing" then the action itself would be denied and a denial message would be logged. Permissive mode shows you what things would be denied, but doesn't actually deny them.
Basically, what's happening with your siteminder app is that the selinux policy doesn't permit the source executable context to write to the smagent.log file due to the file's context.
Check out http://www.linuxforums.org/articles/accomodating-avc-denied-messages-selinux...
This explains how to decipher the denial message and how to use audit2allow to specifically permit your application to write to the appropriate log file.
HTH,
M
On Wed, Oct 7, 2009 at 10:48 AM, Lee Perez leecajun@windstream.net wrote:
lhecking@users.sourceforge.net wrote:
I just came across a user who tried to view a Word document on a CentOS5 machine, and it seems that desktop, firefox etc. are trying to view it with Scribus instead of OpenOffice.
This needs to change. Is there a system-wide setting for it?
On the older, RHEL3 systems we used to have mozplugger, but it's not available in the standard CentOS repositories or rpmforge. What are we supposed to use now? I have one CentOS box here that has mozplugger installed, but I don't know where that came from, it's not in the yum log files.
Hi,
Not sure if this is what you need, but if you are using KDE there is a place to setup file association. It is under the Control Center. Not sure about with Gnome, but there should be someway to do it. Try Googleing for file association with Gnome.
HTH. Lee Perez
I use GNOME 99% of the time (CentOS 5.3 32 bit). I have never seen this. If the box has GNOME on it, in Nautilus, if you right click on the file name, it gives you the opportunity to select another app to open the file with. I have OO 3.1 installed.
I use GNOME 99% of the time (CentOS 5.3 32 bit). I have never seen this. If the box has GNOME on it, in Nautilus, if you right click on the file name, it gives you the opportunity to select another app to open the file with. I have OO 3.1 installed.
It looks like I found the config in ~/.local/share/applications. Will wipe the user's desktop config files and prefs and let Gnome recreate them.
-
Barry Brimer -
Lanny Marcus -
Lee Perez -
lhecking@users.sourceforge.net -
m.roth@5-cent.us -
Meenoo Shivdasani -
nate -
Rob Townley