[CentOS] selinux...

Wed Oct 7 17:18:16 UTC 2009
Rob Townley <rob.townley at gmail.com>

On Wed, Oct 7, 2009 at 11:45 AM,  <m.roth at 5-cent.us> wrote:
>> Quoting m.roth at 5-cent.us:
>>> Have I mentioned that I am less than enthralled with selinux?
>>> My latest issue is continuing messages in the /var/log/messages, which
>>> complain, for example, that siteminder can't write to smagent log (well,
>>> it can, since we've got selinux in permissive mode, and no, we have no
>>> control over using either siteminder or selinux).
>>> I've done what it says will solve the problem. A number of times.
>>> Discussing it with my manager, it seems as though selinux DOES NOT HAVE
>>> CORRECT ERROR HANDLING, and is falling through to a default error, and
>>> is
>>> *not* telling me the true cause.
>> What is the error?
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> Running sealert. let's start with...
> <snip>
> SELinux prevented httpd reading and writing access to http files. Ordinarily
> httpd is allowed full access to all files labeled with http file context.
> This
> machine has a tightened security policy with the httpd_unified turned off,
> this
> requires explicit labeling of all files. If a file is a cgi script it
> needs to
> <snip>
> and respond with
> # getsebool -a | grep unified
> httpd_unified --> on
> Then we can go to:
> <...> avc:  denied  { write } for  pid=5898 comm="LLAWP"
> path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever>
> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0
> tclass=file
> Do you need more info?
>         mark
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Don't know selinux.

when i have had init scripts write to new /var/log/ log files , i had
to change them to be system_t or it would fail.  Files under /tmp/ had
to have a special label as well.  So i wonder if you tried changing
the log file to the system_t context and it also fails.  Wouldn't it
have to have both the system and http context?  i went as far as
building se modules which is actually very easy when you find the few
instructions, but it had to rebuilt with each new kernel.