[CentOS] aide questions, please

Wed Apr 9 16:31:48 UTC 2008
Steve Campbell <campbell at cnpapers.com>

Jim Perrin wrote:
> On Wed, Apr 9, 2008 at 12:03 PM, Steve Campbell <campbell at cnpapers.com> wrote:
>>  Thanks Jim,
>>  Believe it or not, that's what I started out with.
>>  After running the entire --init/--check scenario again, I see in the log
>> files and the output, that all files get this message, and a normal output
>> of what should be there showing changed and unchanged files appear at the
>> bottom of the log. So what is this "lgetfilecon_raw failed for" showing up
>> for each file saying to me? Is it a verbosity setting, or something like
>> that?
> Mostly it's telling you that it can't get all the information about
> the files it's checking. Are you doing this as root? Are you certain
> that selinux is off? Have you modified any of the mount parameters
> with noexec or anything else?

Here's my mount list:

/dev/sda8 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda7 on /home type ext3 (rw)
/dev/sda9 on /opt type ext3 (rw)
/dev/sda5 on /tmp type ext3 (rw)
/dev/sda3 on /usr type ext3 (rw)
/dev/sdb1 on /usr/local type ext3 (rw)
/dev/sda2 on /var type ext3 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

I have one smb mounted for full system backups. This box is pretty 
vanilla, as we run Thunderstone search engine on it. I believe that is 
the only mods to the box after install, and I don't think it changed 
anything else.

The aide --v looks like:

Aide 0.13.1

Compiled with the following options:

CONFIG_FILE = "/etc/aide.conf"

I ran the --init/--check with the default config originally, get the 
same output. I then tried "-selinux" on the options that included 
"+selinux" just for the hell of it. I don't know if that's ok or not. 
--check-config doesn't burp on it though.

My /etc/selinux/config file has SELINUX=disabled in it and always has.

At a loss, but thanks loads for the help and time.