[CentOS] selinux & httpd & portmap

Craig White craigwhite at azapple.com
Thu Jul 24 19:35:37 UTC 2008 

On Thu, 2008-07-24 at 15:23 -0400, Toby Bluhm wrote:
> Having problems starting httpd & portmapper
> 
> #service httpd start
> /usr/sbin/httpd: error while loading shared libraries: libm.so.6: cannot 
> open shared object file: No such file or directory
> 
> and I traced it to selinux, which I had just turned on for the first time:
> 
> # sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy version:                 21
> Policy from config file:        targeted
> 
> I can
> 
> #setsebool -P httpd_disable_trans on
> 
> and httpd starts - but there's zero enforcing now as I understand it.
> 
> Further digging & I get to:
> 
> # cat /var/log/audit/audit.log | audit2allow -m local
> 
> module local 1.0;
> 
> require {
>          type portmap_t;
>          type httpd_t;
>          type file_t;
>          class lnk_file read;
>          class file { getattr read execute };
> }
> 
> #============= httpd_t ==============
> allow httpd_t file_t:file { read getattr execute };
> allow httpd_t file_t:lnk_file read;
> 
> #============= portmap_t ==============
> allow portmap_t file_t:file { read getattr execute };
> allow portmap_t file_t:lnk_file read;
> 
> 
> Other stuff like postfix, postgrey, amavisd are working fine since 
> turning selinux on.
> 
> Before I make a mess of things with trying to make a new policy, 
> shouldn't two basic services like portmap & httpd already be allowed to 
> run out of the box by selinux?
> 
> If not, am I going down the right path to get it working?
----
if you just turned selinux on after running the computer with it
disabled, you really need to relabel the entire filesystem, which does
take some time. The reason is that files have been installed/created
without the appropriate contexts and relabeling fixes that.

Suggest that you make sure you are fully updated, then
'touch /.autorelabel' then reboot (reboot at a time you choose because
it may take a long time to relabel every file on your system -
especially if you have a lot of files).

Craig

More information about the CentOS mailing list