Constance Morris wrote: > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx > Sent: Friday, May 10, 2013 1:43 PM > Constance Morris wrote: >> [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx >> Constance Morris wrote: >>> [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx >>> Constance Morris wrote: >>>> [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Alfred <snip> >> If you thought *Nix sysadmin was complicated, wait till you begin to >> look at selinux (which, btw, was written by the NSA, for real). >> >> It shows the following: >> user_u:object_r:httpd_sys_content_t:s0 > > Ok, that *should* work. >> >> so no unconfined_t or default_t >> >> There is no 'sealert' messages inside the message log. >> >> 'setroubleshoot' is not installed. It says there are 23 packages to >> install if I install it....if that okay? >> I don't want to cause any additional problems on the system right now. > > Install it, last week if not sooner. If you've got selinux enabled, and > you don't have that, you're asking for a world of hurt, things like random > denials or failures with no idea why. > > Are there entries in /var/log/audit/audit.log? Is auditd running? > > Okay - installing it now.......complete. > Yes, looks like this in /var/log/audit/audit.log : > > type=CRYPTO_SESSION msg=audit(1368206600.135:1549): user pid=12527 uid=0 > auid=618 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='op=start > direction=from-server cipher=aes256-ctr ksize=256 rport=53503 > laddr=168.30.232.48 lport=22 id=4294967295 exe="/usr/sbin/sshd" > (hostname=?, addr=168.30.169.40, terminal=? res=success)' Ignore that. The only thing you care about are AVC's - selinux denials. Now that all is running, you'll see them as messages in /var/log/messages, that will tell you to run sealert, which will try to make the reasons clearer and offer solutions. Hint: DO NOT always create a local policy; mostly, it's setting booleans (setsebool and getsebool -a are the commands you'll need), or fixing the role and type contexts with chcon or semanage fcontext -a -[tr] whatever, then restoreconl semanage gives examples on the manpage. And their regular expression is deeply different than the usual. Back to your original problem: seriously, you or your counterpart may need to walk over to the user's offices and sit with them as they log onto their workstations and get ready to publish, then interrupt, and go through the configuration (menu, options or whatever), and see if those are pointing correctly. mark -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list