P.S. - RE: [redhat-list] updates pending question

m.roth at 5-cent.us m.roth at 5-cent.us
Fri May 10 18:45:28 UTC 2013 

Constance   Morris wrote:
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
> Constance   Morris wrote:
>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
>> Constance   Morris wrote:
>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
>>> Constance   Morris wrote:
>>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Alfred
>>>> Hovdestad On 09/05/13 02:15 PM, Constance Morris wrote:
>>>>
> <snip>
>>>>Oh, two other things: first, is selinux enabled (enter getenforce)?
>>>
>>> Checked and it is enforced
>> <snip>
>> AAAARRRRGHGHGHGHGHGHGHH!!!!!!!!!!!!
>>
>> Ok, a *whole* new problem, which maybe throws everything else out the
>> window.
>>
>> Look at their home directories again, but this time do ll -Z
>> /var/www/whatever. Betcha they're something like unconfined_t, or
>> default_t, or maybe even not labeled. Check /var/log/messages for
>> sealert messages. And if you *don't* have any, then you need to see if
>> setroubleshoot\* is installed. If not, install them (server and
>> plugins), and make sure auditd is on. Then you'll see complaints. Run
>> what's in messages, which will be of the form "setroubleshoot: SELinux
>> is preventing /usr/bin/updatedb from read access on the directory
>> /public/apps/.gem. For complete SELinux messages. run sealert -l
>> 20085a91-0ea5-4794-a7c8-b6e975c27ed4". Run the sealert, and *maybe*
>> the message will be helpful. It's sometimes only barely, to me, and
>> I've been fighting to shut selinux up in the logs for years now.
>>
>> If you thought *Nix sysadmin was complicated, wait till you begin to
>> look at selinux (which, btw, was written by the NSA, for real).
>>
>> It shows the following:
>> user_u:object_r:httpd_sys_content_t:s0
>
> Ok, that *should* work.
>>
>> so no unconfined_t or default_t
>>
>> There is no 'sealert' messages inside the message log.
>>
>> 'setroubleshoot' is not installed. It says there are 23 packages to
>> install if I install it....if that okay?
>> I don't want to cause any additional problems on the system right now.
>
> Install it, last week if not sooner. If you've got selinux enabled, and
> you don't have that, you're asking for a world of hurt, things like random
> denials or failures with no idea why.
>
> Are there entries in /var/log/audit/audit.log? Is auditd running?

> P.S. I went back over what you said and ran the:  run sealert -l
> 20085a91-0ea5-4794-a7c8-b6e975c27ed4
> And got " failed to connect to server: No such file or directory"
> If I run just 'sealert' - I get: could not attach to desktop process

Ok... several questions: first, you didn't copy *mine*, did you? You got
one out of your /var/log/messages? Second, you ran it from a command line,
on the machine, correct? <looks at the manpage> Ok, I guess you can run it
from the GUI, but if you're not on the console, you have to have X
forwarding enabled in sshd, and then log in from a system running X with
ssh -X or ssh -Y.

I do most of what I do, as do most sysadmins I know, from the command line.

        mark

More information about the redhat-list mailing list