-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/2010 06:34 PM, Jerry Franz wrote: > On 11/28/2010 09:31 AM, Benjamin Franz wrote: >> [...] >> And then, one day, it won't work. Worse - it doesn't always *log* what >> it is doing in a way that you can figure out. Occasionally not at all. >> So you spend a few hours poking at the system until you try the magic of >> turning off SELinux. And then it starts working again. >> >> My experience is that *unless you have a system configured exactly like >> the defaults*, SELinux is prone to suddenly deciding after an update >> that it doesn't like your configuration anymore. Once because an update >> to SELinux changed the labeling on an existing directory tree - blowing >> away my own applied labeling with no warning. And there are even RH >> supplied rpms that *do not work* with SELinux without being SELinux >> being tweaked first. >> > > And in an exact example of this, today I needed to update some WordPress > (WP) installations. Only, for "some reason" the FTP based autoupdater > didn't work today. > > You guessed it - SELinux had struck again. I have left SELinux active on > this machine because I don't trust WP not to get hacked. I went out of > my way to make the system as SELinux friendly as I could when I built it > because of this. It has had SELinux active right from the start. > > But something in the normal yum system updates or other routine system > operation over the last several months apparently caused the system to > mis-label part of the directory tree making it so that FTP (which is > only allowed from the localhost to support WP updating) could no longer > access some directory trees. No idea why: I'm the only person who has > logged into the machine since March - and I only log in to run updates. > It worked on April 26th - but not today. > > My fix today? I temporarily disabled SELinux, ran the WP updates, > touched /.autorelabel and rebooted the machine. And "mysteriously" the > FTP problem is gone now. This isn't the first time this has happened on > this machine. > > If I wasn't so specifically paranoid about WP, SELinux would be disabled > on this machine as well. > Did you take a look at the AVC messages? Are you running setroubleshoot? Usually running something like restorecon -R -v /var/ftp would have cleaned this up, if it is a simple mislabel in /var directory. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz87dMACgkQrlYvE4MpobOTwgCfa8r9+SooNzx+YIQz91hzf2Vc M8IAnA/7hO4uoMEWVIez+1IxcnHy2gQW =6+wh -----END PGP SIGNATURE-----