[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: P.S. - RE: [redhat-list] updates pending question



-----Original Message-----
From: redhat-list-bounces redhat com [mailto:redhat-list-bounces redhat com] On Behalf Of m roth 5-cent us
Sent: Friday, May 10, 2013 1:15 PM
To: General Red Hat Linux discussion list
Subject: RE: P.S. - RE: [redhat-list] updates pending question

Constance   Morris wrote:
> [mailto:redhat-list-bounces redhat com] On Behalf Of m roth 5-cent us
> Constance   Morris wrote:
>> [mailto:redhat-list-bounces redhat com] On Behalf Of Alfred Hovdestad 
>> On 09/05/13 02:15 PM, Constance Morris wrote:
>>
>>> If so, I have finished the 506 updates that redhat showed were needed.
>>> But then noticed today that 116 showing failed had been placed in 
>>> the Events history section on the red hat customer portal website 
>>> for my registered server. Since my problem with clients still not 
>>> being able to SSH via SFTP in Expression Web still exists after 
>>> finishing the updates
>>> - I wanted to get these 116 done to see if that would fix the problem.
>>> But I can't seem to get them to run.
<snip>
>>> Any suggestions - web links, you can think of to pass on to help me?
>
> Sure: type which sftp, then rpm -q --whatprovides <the full path to 
> sftp, like /usr/bin/sftp>
<snip>
>> To see if any updates are still pending.  Next check the package that 
>> the sftp command belongs to:
>>
>> which sftp
>> rpm -qf /usr/bin/sftp
>> rpm -qf /usr/bin/ssh
>>
>> They should belong to the same package.
>>
>> Yum update shows me there are no packages marked for update.
>> Yes, the locations are the same for sftp and ssh, but not sshd.
>> Not sure if that makes a difference with the sshd not being in a 
>> similar path location as the other two.
>
> That should be in /usr/sbin/sshd - that's run as root by the system, 
> not by users.
>
>> But they all 3 are showing to belong to the same package.
<snip>
> Oh, two other things: first, is selinux enabled (enter getenforce)?
> Second, if you answered this, I've forgotten, but if the three users 
> have actual directories where they're supposed to be, what is the 
> ownership and permission of the home directories and those under them? 
> They should be owned by the user, the group whatever all the other 
> normal users are, and permissions should *probably* be rwx------, or rwxr-x---, or rwxr-xr-x.
>

>>Oh, two other things: first, is selinux enabled (enter getenforce)?
>
> Checked and it is enforced
<snip>
AAAARRRRGHGHGHGHGHGHGHH!!!!!!!!!!!!

Ok, a *whole* new problem, which maybe throws everything else out the window.

Look at their home directories again, but this time do ll -Z /var/www/whatever. Betcha they're something like unconfined_t, or default_t, or maybe even not labeled. Check /var/log/messages for sealert messages. And if you *don't* have any, then you need to see if
setroubleshoot\* is installed. If not, install them (server and plugins), and make sure auditd is on. Then you'll see complaints. Run what's in messages, which will be of the form "setroubleshoot: SELinux is preventing /usr/bin/updatedb from read access on the directory /public/apps/.gem. For complete SELinux messages. run sealert -l 20085a91-0ea5-4794-a7c8-b6e975c27ed4". Run the sealert, and *maybe* the message will be helpful. It's sometimes only barely, to me, and I've been fighting to shut selinux up in the logs for years now.

If you thought *Nix sysadmin was complicated, wait till you begin to look at selinux (which, btw, was written by the NSA, for real).

      mark
-----------

Mark,

It shows the following:  
user_u:object_r:httpd_sys_content_t:s0

so no unconfined_t or default_t

There is no 'sealert' messages inside the message log.

'setroubleshoot' is not installed. It says there are 23 packages to install if I install it....if that okay?
I don't want to cause any additional problems on the system right now.

Constance




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]