[CentOS] selinux...

m.roth at 5-cent.us m.roth at 5-cent.us
Wed Oct 7 17:45:29 UTC 2009

> Quoting m.roth at 5-cent.us:
>> Have I mentioned that I am less than enthralled with selinux?
>> My latest issue is continuing messages in the /var/log/messages, which
>> complain, for example, that siteminder can't write to smagent log (well,
>> it can, since we've got selinux in permissive mode, and no, we have no
>> control over using either siteminder or selinux).
>> I've done what it says will solve the problem. A number of times.
>> Discussing it with my manager, it seems as though selinux DOES NOT HAVE
>> CORRECT ERROR HANDLING, and is falling through to a default error, and
>> is
>> *not* telling me the true cause.
> What is the error?
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Running sealert. let's start with...
SELinux prevented httpd reading and writing access to http files. Ordinarily
httpd is allowed full access to all files labeled with http file context.
machine has a tightened security policy with the httpd_unified turned off,
requires explicit labeling of all files. If a file is a cgi script it
needs to
and respond with
# getsebool -a | grep unified
httpd_unified --> on

Then we can go to:
<...> avc:  denied  { write } for  pid=5898 comm="LLAWP"
path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever>
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0

Do you need more info?


More information about the CentOS mailing list