[Arm-dev] Anyone running named on armv7 with selinux?

Fri Feb 3 15:59:56 UTC 2017
Robert Moskowitz <rgm at htt-consult.com>


On 02/03/2017 09:05 AM, Gordan Bobic wrote:
> On Fri, Feb 3, 2017 at 1:58 PM, Robert Moskowitz <rgm at htt-consult.com 
> <mailto:rgm at htt-consult.com>> wrote:
>
>     Gordon,
>
>     One would think that, but there is something off with at least the
>     CubieTruck build.  I will check that all those rpms are installed
>     (pretty sure they are), but when I set up a web server with
>     personal directories, i got permission errors on listing the
>     files, but no problem displaying individual files. Plus there are
>     all these SELinux warnings I am getting that seem to indicate
>     something is amiss.
>
>     I am reaching the point of focusing on Fedora server for now.  I
>     had hopes of pushing Centos7-arm in a couple of business venues.
>
>
>
>
> Are you certain it is an SELinux problem, and if so, are parent 
> directory labels correct?
> The symptoms you are describing seem more typically indicative of an 
> Apache configuration problem.
> Do tail -f on /var/log/audit/audit.log and see what appears there. If 
> there is a SELinux violation, it will show up in there.

OK.  Here goes.  I attached my web server drive to my CubieTruck; I had 
left this drive all ready to go into production.  SELinux enforced and 
all that.  When I started up the tail, a bunch of messages were sent to 
the console.  I then attempted to access one of my directories:

http://medon.htt-consult.com/~rgm/cubieboard/

Note, that this is a public server, and you too could try this.  For as 
long as I have the server running on this address.

I got:

Forbidden

You don't have permission to access /~rgm/cubieboard/ on this server.

and all of the tail messages are:

# tail -f on /var/log/audit/audit.log
tail: cannot open 'on' for reading: No such file or directory
==> /var/log/audit/audit.log <==
type=SERVICE_STOP msg=audit(69.095:94): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 
msg='unit=systemd-readahead-done comm="systemd" 
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_ACCT msg=audit(1486134062.358:95): pid=1760 uid=0 
auid=4294967295 ses=4294967295 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting 
grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" 
hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1486134062.363:96): pid=1760 uid=0 
auid=4294967295 ses=4294967295 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred 
grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? 
addr=? terminal=cron res=success'
type=LOGIN msg=audit(1486134062.363:97): pid=1760 uid=0 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 
old-ses=4294967295 ses=2 res=1
type=USER_START msg=audit(1486134062.513:98): pid=1760 uid=0 auid=0 
ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:session_open 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1486134062.528:99): pid=1760 uid=0 auid=0 ses=2 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred 
grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? 
addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1486134062.773:100): pid=1760 uid=0 auid=0 
ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred 
grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? 
addr=? terminal=cron res=success'
type=USER_END msg=audit(1486134062.783:101): pid=1760 uid=0 auid=0 ses=2 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=SERVICE_START msg=audit(1486134482.523:102): pid=1 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 
msg='unit=systemd-tmpfiles-clean comm="systemd" 
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1486134482.528:103): pid=1 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 
msg='unit=systemd-tmpfiles-clean comm="systemd" 
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1486137172.395:104): avc:  denied  { read } for 
pid=1866 comm="httpd" name="cubieboard" dev="sda3" ino=262190 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir 
permissive=0
type=SYSCALL msg=audit(1486137172.395:104): arch=40000028 syscall=322 
per=800000 success=no exit=-13 a0=ffffff9c a1=7f844440 a2=a4800 a3=0 
items=0 ppid=624 pid=1866 auid=4294967295 uid=48 gid=48 euid=48 suid=48 
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" 
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1486137172.395:104): 
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I know from earlier testing, if I interactively change SELinux to 
permissive, the directory display works.

So what is next to try?

Bob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/arm-dev/attachments/20170203/2a15fe22/attachment-0006.html>