P.S. - RE: [redhat-list] updates pending question

Fri May 10 19:19:52 UTC 2013

Constance   Morris wrote:
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us

> Constance   Morris wrote:
>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
>> Constance   Morris wrote:
>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
>>> Constance   Morris wrote:
>>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
>>>> Constance   Morris wrote:
>>>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Alfred
>>>>> Hovdestad On 09/05/13 02:15 PM, Constance Morris wrote:
>>>>>
>> <snip>
>>>>>Oh, two other things: first, is selinux enabled (enter getenforce)?
>>>>
>>>> Checked and it is enforced
>>> <snip>
>>> AAAARRRRGHGHGHGHGHGHGHH!!!!!!!!!!!!
>>>
>>> Ok, a *whole* new problem, which maybe throws everything else out the
>>> window.
>>>
>>> Look at their home directories again, but this time do ll -Z
>>> /var/www/whatever. Betcha they're something like unconfined_t, or
>>> default_t, or maybe even not labeled. Check /var/log/messages for
>>> sealert messages. And if you *don't* have any, then you need to see
>>> if
>>> setroubleshoot\* is installed. If not, install them (server and
>>> plugins), and make sure auditd is on. Then you'll see complaints. Run
>>> what's in messages, which will be of the form "setroubleshoot:
>>> SELinux is preventing /usr/bin/updatedb from read access on the
>>> directory /public/apps/.gem. For complete SELinux messages. run
>>> sealert -l 20085a91-0ea5-4794-a7c8-b6e975c27ed4". Run the sealert,
>>> and *maybe* the message will be helpful. It's sometimes only barely,
>>> to me, and I've been fighting to shut selinux up in the logs for years
>>> now.
>>>
>>> If you thought *Nix sysadmin was complicated, wait till you begin to
>>> look at selinux (which, btw, was written by the NSA, for real).
>>>
>>> It shows the following:
>>> user_u:object_r:httpd_sys_content_t:s0
>>
>> Ok, that *should* work.
>>>
>>> so no unconfined_t or default_t
>>>
>>> There is no 'sealert' messages inside the message log.
>>>
>>> 'setroubleshoot' is not installed. It says there are 23 packages to
>>> install if I install it....if that okay?
>>> I don't want to cause any additional problems on the system right now.
>>
>> Install it, last week if not sooner. If you've got selinux enabled,
>> and you don't have that, you're asking for a world of hurt, things
>> like random denials or failures with no idea why.
>>
>> Are there entries in /var/log/audit/audit.log? Is auditd running?
>
>> P.S. I went back over what you said and ran the:  run sealert -l
>> 20085a91-0ea5-4794-a7c8-b6e975c27ed4
>> And got " failed to connect to server: No such file or directory"
>> If I run just 'sealert' - I get: could not attach to desktop process
>
> Ok... several questions: first, you didn't copy *mine*, did you? You got
> one out of your /var/log/messages? Second, you ran it from a command line,
> on the machine, correct? <looks at the manpage> Ok, I guess you can run it
> from the GUI, but if you're not on the console, you have to have X
> forwarding enabled in sshd, and then log in from a system running X with
> ssh -X or ssh -Y.
>
> I do most of what I do, as do most sysadmins I know, from the command
> line.
>
> Mark,
> You want a good laugh.....I did copy yours. Oops.
> I do not see any sealert info in the messages log. Do I need to run or
> rather start sealer?

Nope. If auditd is running, that's all you need. If you see no sealerts in
/var/log/messages, or AVCs in /var/log/audit/audit.log, be happy. The
messages are for specific AVCs on *your* system, they're not generic.

> There is no GUI for this server - it's all command line.
> X11Forwarding is showing 'yes' in the sshd_config file.
> What is ssh -X or ssh -Y......would a system running X be like putty?
>
I don't think so. I think you need something like Citrix, or the mks
toolkit, or something like that, if you're on WinDoze.

     mark