[CentOS] SELinux - way of the future or good idea but !!!

Mon Dec 6 14:06:14 UTC 2010
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/02/2010 06:34 PM, Jerry Franz wrote:
> On 11/28/2010 09:31 AM, Benjamin Franz wrote:
>> [...]
>> And then, one day, it won't work. Worse - it doesn't always *log* what
>> it is doing in a way that you can figure out. Occasionally not at all.
>> So you spend a few hours poking at the system until you try the magic of
>> turning off SELinux. And then it starts working again.
>>
>> My experience is that *unless you have a system configured exactly like
>> the defaults*, SELinux is prone to suddenly deciding after an update
>> that it doesn't like your configuration anymore. Once because an update
>> to SELinux changed the labeling on an existing directory tree - blowing
>> away my own applied labeling with no warning. And there are even RH
>> supplied rpms that *do not work* with SELinux without being SELinux
>> being tweaked first.
>>
> 
> And in an exact example of this, today I needed to update some WordPress 
> (WP) installations. Only, for "some reason" the FTP based autoupdater 
> didn't work today.
> 
> You guessed it - SELinux had struck again. I have left SELinux active on 
> this machine because I don't trust WP not to get hacked. I went out of 
> my way to make the system as SELinux friendly as I could when I built it 
> because of this. It has had SELinux active right from the start.
> 
> But something in the normal yum system updates or other routine system 
> operation over the last several months apparently caused the system to 
> mis-label part of the directory tree making it so that FTP (which is 
> only allowed from the localhost to support WP updating) could no longer 
> access some directory trees. No idea why: I'm the only person who has 
> logged into the machine since March - and I only log in to run updates. 
> It worked on April 26th - but not today.
> 
> My fix today? I temporarily disabled SELinux, ran the WP updates, 
> touched /.autorelabel and rebooted the machine. And "mysteriously" the 
> FTP problem is gone now. This isn't the first time this has happened on 
> this machine.
> 
> If I wasn't so specifically paranoid about WP, SELinux would be disabled 
> on this machine as well.
> 

Did you take a look at the AVC messages?  Are you running setroubleshoot?

Usually running something like restorecon -R -v /var/ftp would have
cleaned this up, if it is a simple mislabel in /var directory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz87dMACgkQrlYvE4MpobOTwgCfa8r9+SooNzx+YIQz91hzf2Vc
M8IAnA/7hO4uoMEWVIez+1IxcnHy2gQW
=6+wh
-----END PGP SIGNATURE-----