On Wed, Oct 7, 2009 at 11:45 AM, <m.roth@xxxxxxxxx> wrote:
>> Quoting m.roth@xxxxxxxxx:
>>
>>> Have I mentioned that I am less than enthralled with selinux?
>>>
>>> My latest issue is continuing messages in the /var/log/messages, which
>>> complain, for example, that siteminder can't write to smagent log (well,
>>> it can, since we've got selinux in permissive mode, and no, we have no
>>> control over using either siteminder or selinux).
>>>
>>> I've done what it says will solve the problem. A number of times.
>>> Discussing it with my manager, it seems as though selinux DOES NOT HAVE
>>> CORRECT ERROR HANDLING, and is falling through to a default error, and
>>> is
>>> *not* telling me the true cause.
>>
>> What is the error?
>> _______________________________________________
>> CentOS mailing list
>> CentOS@xxxxxxxxxx
>> http://lists.centos.org/mailman/listinfo/centos
>>
> Running sealert. let's start with...
> <snip>
> SELinux prevented httpd reading and writing access to http files. Ordinarily
> httpd is allowed full access to all files labeled with http file context.
> This
> machine has a tightened security policy with the httpd_unified turned off,
> this
> requires explicit labeling of all files. If a file is a cgi script it
> needs to
> <snip>
> and respond with
> # getsebool -a | grep unified
> httpd_unified --> on
>
> Then we can go to:
> <...> avc: denied { write } for pid=5898 comm="LLAWP"
> path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever>
> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0
> tclass=file
>
> Do you need more info?
>
> mark
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
Don't know selinux.
when i have had init scripts write to new /var/log/ log files , i had
to change them to be system_t or it would fail. Files under /tmp/ had
to have a special label as well. So i wonder if you tried changing
the log file to the system_t context and it also fails. Wouldn't it
have to have both the system and http context? i went as far as
building se modules which is actually very easy when you find the few
instructions, but it had to rebuilt with each new kernel.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
