On Wed, Oct 7, 2009 at 11:45 AM, <m.roth at 5-cent.us> wrote: >> Quoting m.roth at 5-cent.us: >> >>> Have I mentioned that I am less than enthralled with selinux? >>> >>> My latest issue is continuing messages in the /var/log/messages, which >>> complain, for example, that siteminder can't write to smagent log (well, >>> it can, since we've got selinux in permissive mode, and no, we have no >>> control over using either siteminder or selinux). >>> >>> I've done what it says will solve the problem. A number of times. >>> Discussing it with my manager, it seems as though selinux DOES NOT HAVE >>> CORRECT ERROR HANDLING, and is falling through to a default error, and >>> is >>> *not* telling me the true cause. >> >> What is the error? >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > Running sealert. let's start with... > <snip> > SELinux prevented httpd reading and writing access to http files. Ordinarily > httpd is allowed full access to all files labeled with http file context. > This > machine has a tightened security policy with the httpd_unified turned off, > this > requires explicit labeling of all files. If a file is a cgi script it > needs to > <snip> > and respond with > # getsebool -a | grep unified > httpd_unified --> on > > Then we can go to: > <...> avc: denied { write } for pid=5898 comm="LLAWP" > path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever> > scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0 > tclass=file > > Do you need more info? > > mark > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > Don't know selinux. when i have had init scripts write to new /var/log/ log files , i had to change them to be system_t or it would fail. Files under /tmp/ had to have a special label as well. So i wonder if you tried changing the log file to the system_t context and it also fails. Wouldn't it have to have both the system and http context? i went as far as building se modules which is actually very easy when you find the few instructions, but it had to rebuilt with each new kernel.