On 1/6/2012 7:13 AM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/06/2012 09:57 AM, Bennett Haselton wrote: >> On 1/6/2012 5:55 AM, RILINDO FOSTER wrote: >>> On Jan 6, 2012, at 7:40 AM, Philippe Naudin wrote: >>> >>>> Le ven 06 jan 2012 04:21:14 CET, Bennett Haselton a écrit: >>>> >>>>> On 1/6/2012 4:11 AM, Philippe Naudin wrote: >>>>>> Le ven 06 jan 2012 02:41:02 CET, Bennett Haselton a écrit: >>>>>> >>>>>>> On 1/6/2012 2:24 AM, Philippe Naudin wrote: >>>>>>>> Apache running as "init_t" is a call for troubles. >>>>>>> Is it? OK, any idea what caused that and how to fix it? >>>>>> No, sorry. Your httpd comes from CentOS ? >>>>> Yes >>>>>> Afaik, you should not have any process running in context >>>>>> init_t except init itself. If "ps awuxZ | grep [i]nit_t" >>>>>> returns more than only init and httpd, your problem is >>>>>> likely to be more complicated than a broken configuration >>>>>> of apache. >>>>> I've got a few... >>>>> >>>>> [root at g6950-21025 ~]# ps auwxZ | grep init_t >>>>> system_u:system_r:init_t root 1 0.6 0.0 >>>>> 10368 712 ? Ss 04:17 0:00 init [3] >>>>> >>>>> system_u:system_r:init_t root 537 0.2 0.1 >>>>> 13728 1976 ? S<s 04:17 0:00 /sbin/udevd -d >>>>> system_u:system_r:init_t root 1684 0.0 0.0 >>>>> 38880 456 ? Ssl 04:18 0:00 brcm_iscsiuio >>>>> system_u:system_r:init_t root 1690 0.0 0.0 >>>>> 12152 476 ? Ss 04:18 0:00 iscsid >>>>> system_u:system_r:init_t root 1691 0.0 0.4 >>>>> 12648 4460 ? S<Ls 04:18 0:00 iscsid >>>>> system_u:system_r:init_t dbus 2081 0.0 0.1 >>>>> 31520 1144 ? Ssl 04:18 0:00 dbus-daemon --system >>>>> system_u:system_r:init_t root 2215 0.0 0.1 >>>>> 52372 1492 ? Ssl 04:18 0:00 automount >>>>> system_u:system_r:init_t root 2254 0.0 0.1 >>>>> 62656 1212 ? Ss 04:18 0:00 /usr/sbin/sshd >>>>> system_u:system_r:init_t ntp 2273 0.0 0.4 >>>>> 23412 5044 ? SLs 04:18 0:00 ntpd -u ntp:ntp -p >>>>> /var /run/ntpd.pid -g system_u:system_r:init_t root >>>>> 2287 0.1 1.0 253312 10580 ? Ss 04:18 0:00 >>>>> /usr/sbin/httpd system_u:system_r:init_t apache >>>>> 2315 0.3 1.3 259488 13376 ? S 04:18 0:00 >>>>> /usr/sbin/httpd system_u:system_r:init_t apache >>>>> 2316 0.0 1.0 257436 11124 ? S 04:18 0:00 >>>>> /usr/sbin/httpd system_u:system_r:init_t apache >>>>> 2317 0.1 1.1 257436 11288 ? S 04:18 0:00 >>>>> /usr/sbin/httpd system_u:system_r:init_t apache >>>>> 2318 0.1 1.1 257436 11292 ? S 04:18 0:00 >>>>> /usr/sbin/httpd system_u:system_r:init_t apache >>>>> 2319 0.0 1.0 256720 10504 ? S 04:18 0:00 >>>>> /usr/sbin/httpd system_u:system_r:init_t apache >>>>> 2320 0.1 1.0 257436 10752 ? S 04:18 0:00 >>>>> /usr/sbin/httpd system_u:system_r:init_t apache >>>>> 2321 0.0 1.1 257436 11272 ? S 04:18 0:00 >>>>> /usr/sbin/httpd system_u:system_r:init_t apache >>>>> 2322 0.1 1.1 257436 11356 ? S 04:18 0:00 >>>>> /usr/sbin/httpd system_u:system_r:init_t root >>>>> 2386 0.0 0.0 3812 492 tty1 Ss+ 04:18 0:00 >>>>> /sbin/mingetty tty1 system_u:system_r:init_t root >>>>> 2387 0.0 0.0 3812 488 tty2 Ss+ 04:18 0:00 >>>>> /sbin/mingetty tty2 system_u:system_r:init_t root >>>>> 2390 0.0 0.0 3812 488 tty3 Ss+ 04:18 0:00 >>>>> /sbin/mingetty tty3 system_u:system_r:init_t root >>>>> 2392 0.0 0.0 3812 492 tty4 Ss+ 04:18 0:00 >>>>> /sbin/mingetty tty4 system_u:system_r:init_t root >>>>> 2394 0.0 0.0 3812 488 tty5 Ss+ 04:18 0:00 >>>>> /sbin/mingetty tty5 system_u:system_r:init_t root >>>>> 2397 0.0 0.0 3812 488 tty6 Ss+ 04:18 0:00 >>>>> /sbin/mingetty tty6 system_u:system_r:init_t apache >>>>> 2405 0.1 1.0 256412 11008 ? S 04:18 0:00 >>>>> /usr/sbin/httpd system_u:system_r:init_t root >>>>> 2406 0.3 0.3 90156 3456 ? Ss 04:18 0:00 sshd: >>>>> root at pts/0 root:system_r:initrc_t:SystemLow-SystemHigh root >>>>> 2458 0.0 0.0 61176 768 pts/0 S+ 04:18 0:00 grep init_t >>>>> >>>>> >>>>> >>>>> I also found at least one file (the audit.log file) which has >>>>> file type file_t, even though I thought the filesystem had >>>>> been re-labeled successfully because /var/www/html/robots.txt >>>>> had the correct type: >>>>> >>>>> [root at g6950-21025 ~]# ls -lZ /var/www/html/robots.txt >>>>> -rw-rw-rw- root root system_u:object_r:httpd_sys_content_t >>>>> /var/www/html/robots.txt [root at g6950-21025 ~]# ls -lZ >>>>> /var/log/audit/audit.log -rw------- root root >>>>> system_u:object_r:file_t /var/log/audit/audit.log >>>>> >>>>> >>>>> Any idea (1) what could be causing that and (2) whether it >>>>> could be related to the problem with all those init_t >>>>> processes? >>>> It's easy : your init process is broken, all these daemons but >>>> init are mis-labeled, so all the files they create (such as log >>>> files) are mis-labeled. >>>> >>>> And if the next question is "how to fix it ?", the answer is >>>> easy too : "I don't have any clue..." >>>> >>>> >>> Assuming that httpd came from CentOS, it should be appropriate >>> relabeled. If not, using the semanage -f context would fix it. >> Are you talking about changing the security context on the >> /usr/sbin/httpd file itself? What should it be set to? Right now >> it's [root at g6950-21025 ~]# ls -lZ /usr/sbin/httpd -rwxr-xr-x root >> root system_u:object_r:file_t /usr/sbin/httpd >> >>> This requires some thought. I'll respond back later. >>> >> Thanks! _______________________________________________ CentOS >> mailing list CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos > What does > > restorecon -R -v /usr/sbin > > > Say? I ran that with the additional "-n" flag so it would just tell me what it *would* change (without actually changing anything) and it listed almost all the files in there (including httpd). But then I tried something else first, the page at http://wiki.centos.org/HowTos/SELinux says that "if the system has been upgraded to CentOS-5.2 with SELinux disabled, and SELinux is then enabled", then the relabel will fail, and you have to run these three commands: # genhomedircon # touch /.autorelabel # reboot I tried that and it worked -- the httpd processes are now listed with "httpd_t" as their context, the /var/log/audit/audit.log file is listed with auditd_log_t as its type instead if file_t, etc. I'm pretty sure this machine was never "upgraded to CentOS 5.2", it was just imaged with 5.7 when the hosting company set it up, but SELinux *was* off until I turned it on. So probably the doc should say, if the "system was *installed* with 5.2, then do this" (and presumably it's 5.2 or later, not just 5.2). > If this changes the label, then execute > > fixfiles restore > > Which should relabel the system. > > If restorecon does nothing or prints error messages, > > What file system are you using? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk8HD6EACgkQrlYvE4MpobNGOwCgl9VK72f8XQbQVhL7IPHu5J6l > kE4AoLBVPrjUduuboqfdgnNfEkrwMi2m > =//xT > -----END PGP SIGNATURE-----