Re: selinux...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



> Quoting m.roth@xxxxxxxxx:
>
>> Have I mentioned that I am less than enthralled with selinux?
>>
>> My latest issue is continuing messages in the /var/log/messages, which
>> complain, for example, that siteminder can't write to smagent log (well,
>> it can, since we've got selinux in permissive mode, and no, we have no
>> control over using either siteminder or selinux).
>>
>> I've done what it says will solve the problem. A number of times.
>> Discussing it with my manager, it seems as though selinux DOES NOT HAVE
>> CORRECT ERROR HANDLING, and is falling through to a default error, and
>> is
>> *not* telling me the true cause.
>
> What is the error?
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
Running sealert. let's start with...
<snip>
SELinux prevented httpd reading and writing access to http files. Ordinarily
httpd is allowed full access to all files labeled with http file context.
This
machine has a tightened security policy with the httpd_unified turned off,
this
requires explicit labeling of all files. If a file is a cgi script it
needs to
<snip>
and respond with
# getsebool -a | grep unified
httpd_unified --> on

Then we can go to:
<...> avc:  denied  { write } for  pid=5898 comm="LLAWP"
path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever>
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0
tclass=file

Do you need more info?

         mark

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux