Ok, I used the system-config-securitylevel to turn on the SELinux
security. But I noticed a BAD side affect. I am using a custom iptables,
Using the securitylevel tool turned off the iptables by deleteing the
/etc/sysconfig/iptables file. Good thing for backups :-).
So how do I use the securitylevel tool without touching iptables?
Can't.
Too bad because after turning on SELinux, httpd will not start. I get the
following error:
Starting httpd: Syntax error on line 68 of /etc/httpd/conf.d/ssl.conf:
SSLRandomSeed: source path '/dev/urandom' does not exist
[FAILED]
Ok, so what does /var/log/messages say.... Nothing because for some
reason, nothing is being logged.
If I go to tty1 and try it, I get abunch of the following trace messages:
audit(1095634287.733:0): avc: denied { read write } for pid=10192
exe=/sbin/minilogd name=tty2 dev=tmpfs ino=1566
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.733:0): avc: denied { read write } for pid=10192
exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.733:0): avc: denied { read write } for pid=10192
exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.734:0): avc: denied { read write } for pid=10192
exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.734:0): avc: denied { search } for pid=10192
exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1095634287.735:0): avc: denied { search } for pid=10192
exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1095634287.742:0): avc: denied { search } for pid=10192
exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1095634287.754:0): avc: denied { read write } for pid=10194
exe=/sbin/minilogd name=tty2 dev=tmpfs ino=1566
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.762:0): avc: denied { read write } for pid=10194
exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.771:0): avc: denied { read write } for pid=10194
exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.779:0): avc: denied { read write } for pid=10194
exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.787:0): avc: denied { search } for pid=10194
exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1095634287.795:0): avc: denied { search } for pid=10194
exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1095634287.803:0): avc: denied { search } for pid=10194
exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
So to get httpd to work, I need to reinvoke the securitylevel gui and
select transition->Disable Selinux protection for httpd daemon
So, if you count not being able to run httpd and no system logs, it is
going ok.
--
Brian Millett
Enterprise Consulting Group "Shifts in paradigms
(314) 205-9030 often cause nose bleeds."
bpmATec-groupDOTcom Greg Glenn
