[CentOS] selinux...

Wed Oct 7 17:59:07 UTC 2009
m.roth at 5-cent.us <m.roth at 5-cent.us>

> On Wed, Oct 7, 2009 at 11:45 AM,  <m.roth at 5-cent.us> wrote:
>>> Quoting m.roth at 5-cent.us:
>>>
>>>> Have I mentioned that I am less than enthralled with selinux?
>>>>
>>>> My latest issue is continuing messages in the /var/log/messages, which
>>>> complain, for example, that siteminder can't write to smagent log
<snip>
>> Then we can go to:
>> <...> avc:  denied  { write } for  pid=5898 comm="LLAWP"
>> path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever>
>> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0
>> tclass=file
>
> Don't know selinux.

Wish I didn't have to....
>
> when i have had init scripts write to new /var/log/ log files , i had
> to change them to be system_t or it would fail.  Files under /tmp/ had
> to have a special label as well.  So i wonder if you tried changing
> the log file to the system_t context and it also fails.  Wouldn't it
> have to have both the system and http context?  i went as far as

I've set the role, user, and context of both LLAWP (siteminder), and the
logfile, identical to another server that does *not* complain.

You begin to see my frustration, esp. when I have to skim through logs
that have a dozen, or two dozen, of these (and others) every hour, to find
other more important messages.
<snip>
       mark