[CentOS] selinux allow apache log access

Wed Jun 17 20:14:32 UTC 2015
Tim Dunphy <bluethundr at gmail.com>

Hey guys,

 Thanks! That worked.

[root at monitor2:~] #grep zabbix /var/log/audit/audit.log  | audit2allow -M
myzabbix
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i myzabbix.pp

[root at monitor2:~] #semodule -i myzabbix.pp
[root at monitor2:~] #lsof -i :80
[root at monitor2:~] #systemctl start httpd
[root at monitor2:~] #lsof -i :80
COMMAND   PID   USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
httpd   18664   root    4u  IPv6 12477027      0t0  TCP *:http (LISTEN)
httpd   18665 apache    4u  IPv6 12477027      0t0  TCP *:http (LISTEN)
httpd   18666 apache    4u  IPv6 12477027      0t0  TCP *:http (LISTEN)
httpd   18667 apache    4u  IPv6 12477027      0t0  TCP *:http (LISTEN)
httpd   18668 apache    4u  IPv6 12477027      0t0  TCP *:http (LISTEN)
httpd   18669 apache    4u  IPv6 12477027      0t0  TCP *:http (LISTEN)
[root at monitor2:~] #getenforce
Enforcing

Definitely appreciate the help and sorry if there was any confusion on my
part. All set at this point!

Best,
Tim

On Wed, Jun 17, 2015 at 4:11 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:

>
>
> On 06/17/2015 04:03 PM, Jonathan Billings wrote:
> > On Wed, Jun 17, 2015 at 03:30:51PM -0400, Tim Dunphy wrote:
> >> No prob! Thanks for all the help! But in searching my system I don't
> find
> >> anything of the sort.
> >>
> >> [root at monitor2:~] #updatedb
> >> [root at monitor2:~] #locate myzabbix.te
> >> [root at monitor2:~] #find / -name "myzabbix.*"
> >>
> >> I also did search using 'yum provides' to find something similar. But
> >> wasn't' able to find anything.
> > What we're asking for is the contents of the .te file that is created
> > when you run audit2allow.
> >
> Go back to the original email and do what you were told
>
> # grep zabbix /var/log/audit/audit.log  | audit2allow -M myzabbix
> # semodule -i myzabbix.pp
>
> You did audit2allow -M zabbix
>
> Which created zabbix.te and zabbix.pp, which is bad.  It will attempt to
> replace the system module.
>
> If you use myzappix, it will add the allow rules.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B