P.S. - RE: [redhat-list] updates pending question

Constance Morris cmorris at daltonstate.edu
Fri May 10 19:13:12 UTC 2013


-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
Sent: Friday, May 10, 2013 2:45 PM
To: General Red Hat Linux discussion list
Subject: RE: P.S. - RE: [redhat-list] updates pending question

Constance   Morris wrote:
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
> Constance   Morris wrote:
>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
>> Constance   Morris wrote:
>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
>>> Constance   Morris wrote:
>>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Alfred 
>>>> Hovdestad On 09/05/13 02:15 PM, Constance Morris wrote:
>>>>
> <snip>
>>>>Oh, two other things: first, is selinux enabled (enter getenforce)?
>>>
>>> Checked and it is enforced
>> <snip>
>> AAAARRRRGHGHGHGHGHGHGHH!!!!!!!!!!!!
>>
>> Ok, a *whole* new problem, which maybe throws everything else out the 
>> window.
>>
>> Look at their home directories again, but this time do ll -Z 
>> /var/www/whatever. Betcha they're something like unconfined_t, or 
>> default_t, or maybe even not labeled. Check /var/log/messages for 
>> sealert messages. And if you *don't* have any, then you need to see 
>> if
>> setroubleshoot\* is installed. If not, install them (server and 
>> plugins), and make sure auditd is on. Then you'll see complaints. Run 
>> what's in messages, which will be of the form "setroubleshoot: 
>> SELinux is preventing /usr/bin/updatedb from read access on the 
>> directory /public/apps/.gem. For complete SELinux messages. run 
>> sealert -l 20085a91-0ea5-4794-a7c8-b6e975c27ed4". Run the sealert, 
>> and *maybe* the message will be helpful. It's sometimes only barely, 
>> to me, and I've been fighting to shut selinux up in the logs for years now.
>>
>> If you thought *Nix sysadmin was complicated, wait till you begin to 
>> look at selinux (which, btw, was written by the NSA, for real).
>>
>> It shows the following:
>> user_u:object_r:httpd_sys_content_t:s0
>
> Ok, that *should* work.
>>
>> so no unconfined_t or default_t
>>
>> There is no 'sealert' messages inside the message log.
>>
>> 'setroubleshoot' is not installed. It says there are 23 packages to 
>> install if I install it....if that okay?
>> I don't want to cause any additional problems on the system right now.
>
> Install it, last week if not sooner. If you've got selinux enabled, 
> and you don't have that, you're asking for a world of hurt, things 
> like random denials or failures with no idea why.
>
> Are there entries in /var/log/audit/audit.log? Is auditd running?

> P.S. I went back over what you said and ran the:  run sealert -l
> 20085a91-0ea5-4794-a7c8-b6e975c27ed4
> And got " failed to connect to server: No such file or directory"
> If I run just 'sealert' - I get: could not attach to desktop process

Ok... several questions: first, you didn't copy *mine*, did you? You got one out of your /var/log/messages? Second, you ran it from a command line, on the machine, correct? <looks at the manpage> Ok, I guess you can run it from the GUI, but if you're not on the console, you have to have X forwarding enabled in sshd, and then log in from a system running X with ssh -X or ssh -Y.

I do most of what I do, as do most sysadmins I know, from the command line.

        mark
---------------

Mark,
You want a good laugh.....I did copy yours. Oops.
I do not see any sealert info in the messages log. Do I need to run or rather start sealer?
There is no GUI for this server - it's all command line. 
X11Forwarding is showing 'yes' in the sshd_config file.
What is ssh -X or ssh -Y......would a system running X be like putty?





More information about the redhat-list mailing list