P.S. - RE: [redhat-list] updates pending question

[m.roth at 5-cent.us]

Constance   Morris wrote:
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
> Constance   Morris wrote:
>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Alfred Hovdestad
>> On 09/05/13 02:15 PM, Constance Morris wrote:
>>
>>> If so, I have finished the 506 updates that redhat showed were needed.
>>> But then noticed today that 116 showing failed had been placed in the
>>> Events history section on the red hat customer portal website for my
>>> registered server. Since my problem with clients still not being able
>>> to SSH via SFTP in Expression Web still exists after finishing the
>>> updates
>>> - I wanted to get these 116 done to see if that would fix the problem.
>>> But I can't seem to get them to run.
<snip>
>>> Any suggestions - web links, you can think of to pass on to help me?
>
> Sure: type which sftp, then rpm -q --whatprovides <the full path to sftp,
> like /usr/bin/sftp>
<snip>
>> To see if any updates are still pending.  Next check the package that
>> the sftp command belongs to:
>>
>> which sftp
>> rpm -qf /usr/bin/sftp
>> rpm -qf /usr/bin/ssh
>>
>> They should belong to the same package.
>>
>> Yum update shows me there are no packages marked for update.
>> Yes, the locations are the same for sftp and ssh, but not sshd.
>> Not sure if that makes a difference with the sshd not being in a
>> similar path location as the other two.
>
> That should be in /usr/sbin/sshd - that's run as root by the system, not
> by users.
>
>> But they all 3 are showing to belong to the same package.
<snip>
> Oh, two other things: first, is selinux enabled (enter getenforce)?
> Second, if you answered this, I've forgotten, but if the three users have
> actual directories where they're supposed to be, what is the ownership and
> permission of the home directories and those under them? They should be
> owned by the user, the group whatever all the other normal users are, and
> permissions should *probably* be rwx------, or rwxr-x---, or rwxr-xr-x.
>

>>Oh, two other things: first, is selinux enabled (enter getenforce)?
>
> Checked and it is enforced
<snip>
AAAARRRRGHGHGHGHGHGHGHH!!!!!!!!!!!!

Ok, a *whole* new problem, which maybe throws everything else out the window.

Look at their home directories again, but this time do ll -Z
/var/www/whatever. Betcha they're something like unconfined_t, or
default_t, or maybe even not labeled. Check /var/log/messages for sealert
messages. And if you *don't* have any, then you need to see if
setroubleshoot\* is installed. If not, install them (server and plugins),
and make sure auditd is on. Then you'll see complaints. Run what's in
messages, which will be of the form "setroubleshoot: SELinux is preventing
/usr/bin/updatedb from read access on the directory /public/apps/.gem. For
complete SELinux messages. run sealert -l
20085a91-0ea5-4794-a7c8-b6e975c27ed4". Run the sealert, and *maybe* the
message will be helpful. It's sometimes only barely, to me, and I've been
fighting to shut selinux up in the logs for years now.

If you thought *Nix sysadmin was complicated, wait till you begin to look
at selinux (which, btw, was written by the NSA, for real).

      mark