Unsubscribe On May 10, 2013, at 4:16 PM, "Constance Morris" <cmorris@xxxxxxxxxxxxxxx> wrote: > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx > Sent: Friday, May 10, 2013 3:20 PM > To: General Red Hat Linux discussion list > Subject: RE: P.S. - RE: [redhat-list] updates pending question > > Constance Morris wrote: >> [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx > >> Constance Morris wrote: >>> [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx >>> Constance Morris wrote: >>>> [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx >>>> Constance Morris wrote: >>>>> [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx >>>>> Constance Morris wrote: >>>>>> [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Alfred >>>>>> Hovdestad On 09/05/13 02:15 PM, Constance Morris wrote: >>> <snip> >>>>>> Oh, two other things: first, is selinux enabled (enter getenforce)? >>>>> >>>>> Checked and it is enforced >>>> <snip> >>>> AAAARRRRGHGHGHGHGHGHGHH!!!!!!!!!!!! >>>> >>>> Ok, a *whole* new problem, which maybe throws everything else out >>>> the window. >>>> >>>> Look at their home directories again, but this time do ll -Z >>>> /var/www/whatever. Betcha they're something like unconfined_t, or >>>> default_t, or maybe even not labeled. Check /var/log/messages for >>>> sealert messages. And if you *don't* have any, then you need to see >>>> if >>>> setroubleshoot\* is installed. If not, install them (server and >>>> plugins), and make sure auditd is on. Then you'll see complaints. >>>> Run what's in messages, which will be of the form "setroubleshoot: >>>> SELinux is preventing /usr/bin/updatedb from read access on the >>>> directory /public/apps/.gem. For complete SELinux messages. run >>>> sealert -l 20085a91-0ea5-4794-a7c8-b6e975c27ed4". Run the sealert, >>>> and *maybe* the message will be helpful. It's sometimes only barely, >>>> to me, and I've been fighting to shut selinux up in the logs for >>>> years now. >>>> >>>> If you thought *Nix sysadmin was complicated, wait till you begin to >>>> look at selinux (which, btw, was written by the NSA, for real). >>>> >>>> It shows the following: >>>> user_u:object_r:httpd_sys_content_t:s0 >>> >>> Ok, that *should* work. >>>> >>>> so no unconfined_t or default_t >>>> >>>> There is no 'sealert' messages inside the message log. >>>> >>>> 'setroubleshoot' is not installed. It says there are 23 packages to >>>> install if I install it....if that okay? >>>> I don't want to cause any additional problems on the system right now. >>> >>> Install it, last week if not sooner. If you've got selinux enabled, >>> and you don't have that, you're asking for a world of hurt, things >>> like random denials or failures with no idea why. >>> >>> Are there entries in /var/log/audit/audit.log? Is auditd running? >> >>> P.S. I went back over what you said and ran the: run sealert -l >>> 20085a91-0ea5-4794-a7c8-b6e975c27ed4 >>> And got " failed to connect to server: No such file or directory" >>> If I run just 'sealert' - I get: could not attach to desktop process >> >> Ok... several questions: first, you didn't copy *mine*, did you? You >> got one out of your /var/log/messages? Second, you ran it from a >> command line, on the machine, correct? <looks at the manpage> Ok, I >> guess you can run it from the GUI, but if you're not on the console, >> you have to have X forwarding enabled in sshd, and then log in from a >> system running X with ssh -X or ssh -Y. >> >> I do most of what I do, as do most sysadmins I know, from the command >> line. >> >> Mark, >> You want a good laugh.....I did copy yours. Oops. >> I do not see any sealert info in the messages log. Do I need to run or >> rather start sealer? > > Nope. If auditd is running, that's all you need. If you see no sealerts in /var/log/messages, or AVCs in /var/log/audit/audit.log, be happy. The messages are for specific AVCs on *your* system, they're not generic. > >> There is no GUI for this server - it's all command line. >> X11Forwarding is showing 'yes' in the sshd_config file. >> What is ssh -X or ssh -Y......would a system running X be like putty? > I don't think so. I think you need something like Citrix, or the mks toolkit, or something like that, if you're on WinDoze. > > mark > -------------- > > Mark, > > I do get AVC messages in the audit.log file : > type=AVC msg=audit(1368211292.794:1593): avc: denied { search } for pid=13587 comm="procmail" name="www" dev=dm-0 ino=3440923 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
