please try SELinux again

Brian Millett bpm at ec-group.com
Sun Sep 19 23:32:25 UTC 2004


Ok, I used the system-config-securitylevel to turn on the SELinux
security.  But I noticed a BAD side affect.  I am using a custom iptables,
Using the securitylevel tool turned off the iptables by deleteing the
/etc/sysconfig/iptables file. Good thing for backups :-).

So how do I use the securitylevel tool without touching iptables?

Can't.

Too bad because after turning on SELinux, httpd will not start.  I get the
following error:

Starting httpd: Syntax error on line 68 of /etc/httpd/conf.d/ssl.conf:
SSLRandomSeed: source path '/dev/urandom' does not exist
                                                           [FAILED]
Ok, so what does /var/log/messages say.... Nothing because for some
reason, nothing is being logged.

If I go to tty1 and try it, I get abunch of the following trace messages:

audit(1095634287.733:0): avc:  denied  { read write } for  pid=10192
exe=/sbin/minilogd name=tty2 dev=tmpfs ino=1566
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.733:0): avc:  denied  { read write } for  pid=10192
exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.733:0): avc:  denied  { read write } for  pid=10192
exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.734:0): avc:  denied  { read write } for  pid=10192
exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.734:0): avc:  denied  { search } for  pid=10192
exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1095634287.735:0): avc:  denied  { search } for  pid=10192
exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1095634287.742:0): avc:  denied  { search } for  pid=10192
exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1095634287.754:0): avc:  denied  { read write } for  pid=10194
exe=/sbin/minilogd name=tty2 dev=tmpfs ino=1566
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.762:0): avc:  denied  { read write } for  pid=10194
exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.771:0): avc:  denied  { read write } for  pid=10194
exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.779:0): avc:  denied  { read write } for  pid=10194
exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
tclass=chr_file
audit(1095634287.787:0): avc:  denied  { search } for  pid=10194
exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1095634287.795:0): avc:  denied  { search } for  pid=10194
exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1095634287.803:0): avc:  denied  { search } for  pid=10194
exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
tcontext=user_u:object_r:tmpfs_t tclass=dir


So to get httpd to work, I need to reinvoke the securitylevel gui and
select transition->Disable Selinux protection for httpd daemon

So, if you count not being able to run httpd and no system logs, it is
going ok.
-- 
Brian Millett
Enterprise Consulting Group  "Shifts in paradigms
(314) 205-9030           often cause nose bleeds."
bpmATec-groupDOTcom                     Greg Glenn







More information about the fedora-devel-list mailing list