> Quoting m.roth at 5-cent.us: > >> Have I mentioned that I am less than enthralled with selinux? >> >> My latest issue is continuing messages in the /var/log/messages, which >> complain, for example, that siteminder can't write to smagent log (well, >> it can, since we've got selinux in permissive mode, and no, we have no >> control over using either siteminder or selinux). >> >> I've done what it says will solve the problem. A number of times. >> Discussing it with my manager, it seems as though selinux DOES NOT HAVE >> CORRECT ERROR HANDLING, and is falling through to a default error, and >> is >> *not* telling me the true cause. > > What is the error? > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > Running sealert. let's start with... <snip> SELinux prevented httpd reading and writing access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the httpd_unified turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to <snip> and respond with # getsebool -a | grep unified httpd_unified --> on Then we can go to: <...> avc: denied { write } for pid=5898 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0 tclass=file Do you need more info? mark