Re: SELinux - null security context

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





Filipe Brandenburger wrote:
Hi,

2009/1/28 Rob Kampen <rkampen@xxxxxxxxxxxxxxxxx>:
  
I'm seeing this every hour when the hourly cron job runs
NULL security context for user, but SELinux in permissive mode, continuing
    

Try to use "ps -Z" to see if all your processes have appropriate
security contexts. It's unlikely (impossible?) that one of them will
not have, but start with that anyway.
  
All OK
Also you can use "ls -Z" to see if the files have security contexts or
not. Maybe start with "ls -Z /etc/cron*" and "ls -Z /var/spool/cron/"
to see if the files related to crontabs are covered.

Also have a look at what "semanage login -l" returns, in CentOS you
should have an entry for "__default__" pointing to "user_u" and one
for "root" pointing to "root".
  
All ok
  
I've tried fixfiles but obviously I'm missing something....
    

Sometimes fixfiles will not be able to do a thorough job if your
system is booted and running. It's preferrable to do "touch
/.autorelabel" and reboot the machine, that way "fixfiles" will run as
the only process in the machine and will be able to label all files
properly.

  
Last resort was the 'touch /.autorelabel' and reboot. This took nearly an hour but once it came up all was well.
Thanks for the pointers Filipe.
At what point would it be safe to go to enforcing? What logs should I be inspecting for warnings?
I find SELinux real hard to get my head around, extensive reading and still I don't get it clearly enough to where I understand it and feel safe committing my business server to it. And when something like this occurs and it takes the server down for an hour to clean it up.... not really production ready.
I'm getting ready to head for PCI-DSS audit and thought SELinux enforcing would be a help......any comments from those with more experience??

  
Any SELinux gurus that can point me in the right direction?
    

Far from being a guru, but maybe the information above will be useful
for you to hunt the problem down.

HTH,
Filipe
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
  
begin:vcard
fn:Rob Kampen
n:Kampen;Rob
email;internet:rkampen@xxxxxxxxxxxxxxxxx
tel;home:407-876-4854
version:2.1
end:vcard

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux