On Thursday 21 February 2013 11:25:44 Robert Moskowitz wrote:
> On 02/21/2013 04:30 AM, James Hogarth wrote:
> > On 21 February 2013 01:28, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx>
wrote:
> >> It looks like no system, internal or external could access the
> >> DNS on my new server. IPTABLES was set for 53 both UDP and TCP.
> >> Firewall was OK. In fact a local system on the same subnet, thus
> >> NOT going through my firewall was denied access to the internal
> >> domain. Localhost of course works.
> >>
> >> So it is either the Linux firewall and bind port randomization,
> >> or it is SELINUX. How do I test to find out which?
> >>
> >> Since the new server is on the same IP address as the old, it is
> >> unplugged from the switch. I can switch back and forth between
> >> to two boxes, only taking the time for ARP table updates.
> >>
> >> So I hope someone can point me to what I have missed.
> >
> > audit2allow -a will tell you if it's selinux ... and specifically
> > what is wrong...
>
> Great. I have to make notes on how to test about selinux
> reporting.
>
> > A quick test would be getenforce Permissive and restarting bind
> > ...
>
Hi,
setenforce 0 sets SELinux to permissive
setenforce 1 sets it to enmforcing
sestatus to check the current status
You can use the following to build a custom SElinux module
# Generate local policy
grep http /var/log/audit/audit.log | audit2allow -m myhttp >
myhttp.te
# could also use grep http to just get the http AVC
# Compile the module
checkmodule -M -m -o local.mod myhttp.te
# Create the package
semodule_package -o myhttp.pp -m local.mod
# Load the module into the kernel
semodule -i myhttp.pp
Tony
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
