P.S. - RE: [redhat-list] updates pending question
m.roth at 5-cent.us
m.roth at 5-cent.us
Fri May 10 17:42:38 UTC 2013
Constance Morris wrote:
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
> Constance Morris wrote:
>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
>> Constance Morris wrote:
>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Alfred Hovdestad
>>> On 09/05/13 02:15 PM, Constance Morris wrote:
>>>
<snip>
>>>Oh, two other things: first, is selinux enabled (enter getenforce)?
>>
>> Checked and it is enforced
> <snip>
> AAAARRRRGHGHGHGHGHGHGHH!!!!!!!!!!!!
>
> Ok, a *whole* new problem, which maybe throws everything else out the
> window.
>
> Look at their home directories again, but this time do ll -Z
> /var/www/whatever. Betcha they're something like unconfined_t, or
> default_t, or maybe even not labeled. Check /var/log/messages for sealert
> messages. And if you *don't* have any, then you need to see if
> setroubleshoot\* is installed. If not, install them (server and plugins),
> and make sure auditd is on. Then you'll see complaints. Run what's in
> messages, which will be of the form "setroubleshoot: SELinux is preventing
> /usr/bin/updatedb from read access on the directory /public/apps/.gem. For
> complete SELinux messages. run sealert -l
> 20085a91-0ea5-4794-a7c8-b6e975c27ed4". Run the sealert, and *maybe* the
> message will be helpful. It's sometimes only barely, to me, and I've been
> fighting to shut selinux up in the logs for years now.
>
> If you thought *Nix sysadmin was complicated, wait till you begin to look
> at selinux (which, btw, was written by the NSA, for real).
>
> It shows the following:
> user_u:object_r:httpd_sys_content_t:s0
Ok, that *should* work.
>
> so no unconfined_t or default_t
>
> There is no 'sealert' messages inside the message log.
>
> 'setroubleshoot' is not installed. It says there are 23 packages to
> install if I install it....if that okay?
> I don't want to cause any additional problems on the system right now.
Install it, last week if not sooner. If you've got selinux enabled, and
you don't have that, you're asking for a world of hurt, things like random
denials or failures with no idea why.
Are there entries in /var/log/audit/audit.log? Is auditd running?
mark
More information about the redhat-list
mailing list