Re: Centos and Selinux issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Alessandro Baggi wrote:
> Hi list,
> I'm new to Centos and I've a very small knowledge of selinux use.
>
> I can disable it, but I prefer take it on for study.

Ok, first thing you want to do is set it to permissive mode (setenforce 0,
and edit /etc/selinux/config to Permissive from Enforcing). That way,
you'll get all the alerts and, of course, denials... but it will let it
operate.

Second: chcon is fine for setting user_u. Maybe role. DON'T USE IT unless
you *must* for types. The reason for that is that it does NOT last across
reboots. Use semanage (file that under user surly, at the very least).
Read the manpage for that, and look at the examples. Nasty gotchas that
I've had to fight through:
   a) it's *not* the wildcards I'm used to. To get a directory and its
contents,  give the *FULL*
        pathname, then end as the example: semanage fcontext -a -t
whatsit_t "/mnt/what/dunno(/.*)?"
        Notes: the -a says add this context. if it's got a wildcard, USE
THE QUOTES around the path.
            If it's just one file, you don't need the quotes, but use the
*full* path. Selinux
             does not play with relative paths.
   b) assuming you get past that, then run restorecon -R -v - /path
         -R is recursive, and -v is verbose, so you *see* it doing what
you expect it to do (or not).

To your specific issue, /mnt is, I believe, not one of their paths that
the policy knows what to do with, so you'll have to label it all. For
things that policy doesn't know, and relabelling still didn't fix the
problem, you'll need to create a policy (but be *VERY* chary about that).
Make sure auditd is running, and that setroubleshoot is installed. Trying
to read the AVC's tends to be a study in frustration. The sealerts that
will show up in messages will *usually* be more helpful (unless your users
or organization are doing stuff that's not what everyone else does (like
not having your website stuff under /var/www).

Last detail: subscribe <selinux@xxxxxxxxxxxxxxxxxxxxxxx>
<SNIP>

           mark "no, I don't like selinux, but I'm stuck having to live
with it, even
                   though we mostly have it in permissive mode"

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux