On 2/26/20 9:52 AM, Nicolas Kovacs wrote:
Le 26/02/2020 à 11:51, Nicolas Kovacs a écrit :
SELinux is preventing /usr/bin/python2.7 from read access on the file
disable.
***** Plugin catchall (100. confidence) suggests *****
If you believe that python2.7 should be allowed read access on the
disable file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'f2b/server' --raw | audit2allow -M my-f2bserver
# semodule -i my-f2bserver.pp
Weirdly enough, when I follow this suggestion and then empty audit.log
and restart my server, I still get the exact same error again.
I reinstalled this server from scratch and took some notes. This time I
was successful, though I don't know exactly what I did differently this
time.
Usually I work as non-root user and call sudo whenever I need root
permissions.
But is this OK when enabling SELinux modules? Let's consider the example
given above:
# ausearch -c 'f2b/server' --raw | audit2allow -M my-f2bserver
# semodule -i my-f2bserver.pp
Can I also perform it like this?
$ sudo ausearch -c 'f2b/server' --raw | sudo audit2allow -M my-f2bserver
$ sudo semodule -i my-f2bserver.pp
This should work. Likely the reason that it didn't resolve in one go is
that there were multiple denials - but the first time it just failed on
the first one. Someone else mentioned running in non-enforcing mode to
allow the audit log to collect all of the denials and then generating
the module - this is a good practice.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@xxxxxxxx
Boulder, CO 80301 https://www.nwra.com/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
