Constance Morris wrote: > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx > Constance Morris wrote: >> [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx >> Constance Morris wrote: >>> [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx >>> Constance Morris wrote: >>>> [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Alfred >>>> Hovdestad On 09/05/13 02:15 PM, Constance Morris wrote: >>>> > <snip> >>>>Oh, two other things: first, is selinux enabled (enter getenforce)? >>> >>> Checked and it is enforced >> <snip> >> AAAARRRRGHGHGHGHGHGHGHH!!!!!!!!!!!! >> >> Ok, a *whole* new problem, which maybe throws everything else out the >> window. >> >> Look at their home directories again, but this time do ll -Z >> /var/www/whatever. Betcha they're something like unconfined_t, or >> default_t, or maybe even not labeled. Check /var/log/messages for >> sealert messages. And if you *don't* have any, then you need to see if >> setroubleshoot\* is installed. If not, install them (server and >> plugins), and make sure auditd is on. Then you'll see complaints. Run >> what's in messages, which will be of the form "setroubleshoot: SELinux >> is preventing /usr/bin/updatedb from read access on the directory >> /public/apps/.gem. For complete SELinux messages. run sealert -l >> 20085a91-0ea5-4794-a7c8-b6e975c27ed4". Run the sealert, and *maybe* >> the message will be helpful. It's sometimes only barely, to me, and >> I've been fighting to shut selinux up in the logs for years now. >> >> If you thought *Nix sysadmin was complicated, wait till you begin to >> look at selinux (which, btw, was written by the NSA, for real). >> >> It shows the following: >> user_u:object_r:httpd_sys_content_t:s0 > > Ok, that *should* work. >> >> so no unconfined_t or default_t >> >> There is no 'sealert' messages inside the message log. >> >> 'setroubleshoot' is not installed. It says there are 23 packages to >> install if I install it....if that okay? >> I don't want to cause any additional problems on the system right now. > > Install it, last week if not sooner. If you've got selinux enabled, and > you don't have that, you're asking for a world of hurt, things like random > denials or failures with no idea why. > > Are there entries in /var/log/audit/audit.log? Is auditd running? > P.S. I went back over what you said and ran the: run sealert -l > 20085a91-0ea5-4794-a7c8-b6e975c27ed4 > And got " failed to connect to server: No such file or directory" > If I run just 'sealert' - I get: could not attach to desktop process Ok... several questions: first, you didn't copy *mine*, did you? You got one out of your /var/log/messages? Second, you ran it from a command line, on the machine, correct? <looks at the manpage> Ok, I guess you can run it from the GUI, but if you're not on the console, you have to have X forwarding enabled in sshd, and then log in from a system running X with ssh -X or ssh -Y. I do most of what I do, as do most sysadmins I know, from the command line. mark -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list