[CentOS] selinux...

Wed Oct 7 16:45:29 UTC 2009
m.roth at 5-cent.us <m.roth at 5-cent.us>

> Quoting m.roth at 5-cent.us:
>
>> Have I mentioned that I am less than enthralled with selinux?
>>
>> My latest issue is continuing messages in the /var/log/messages, which
>> complain, for example, that siteminder can't write to smagent log (well,
>> it can, since we've got selinux in permissive mode, and no, we have no
>> control over using either siteminder or selinux).
>>
>> I've done what it says will solve the problem. A number of times.
>> Discussing it with my manager, it seems as though selinux DOES NOT HAVE
>> CORRECT ERROR HANDLING, and is falling through to a default error, and
>> is
>> *not* telling me the true cause.
>
> What is the error?
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
Running sealert. let's start with...
<snip>
SELinux prevented httpd reading and writing access to http files. Ordinarily
httpd is allowed full access to all files labeled with http file context.
This
machine has a tightened security policy with the httpd_unified turned off,
this
requires explicit labeling of all files. If a file is a cgi script it
needs to
<snip>
and respond with
# getsebool -a | grep unified
httpd_unified --> on

Then we can go to:
<...> avc:  denied  { write } for  pid=5898 comm="LLAWP"
path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever>
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0
tclass=file

Do you need more info?

         mark