P.S. - RE: [redhat-list] updates pending question
Constance Morris
cmorris at daltonstate.edu
Fri May 10 17:35:00 UTC 2013
-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
Sent: Friday, May 10, 2013 1:15 PM
To: General Red Hat Linux discussion list
Subject: RE: P.S. - RE: [redhat-list] updates pending question
Constance Morris wrote:
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
> Constance Morris wrote:
>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Alfred Hovdestad
>> On 09/05/13 02:15 PM, Constance Morris wrote:
>>
>>> If so, I have finished the 506 updates that redhat showed were needed.
>>> But then noticed today that 116 showing failed had been placed in
>>> the Events history section on the red hat customer portal website
>>> for my registered server. Since my problem with clients still not
>>> being able to SSH via SFTP in Expression Web still exists after
>>> finishing the updates
>>> - I wanted to get these 116 done to see if that would fix the problem.
>>> But I can't seem to get them to run.
<snip>
>>> Any suggestions - web links, you can think of to pass on to help me?
>
> Sure: type which sftp, then rpm -q --whatprovides <the full path to
> sftp, like /usr/bin/sftp>
<snip>
>> To see if any updates are still pending. Next check the package that
>> the sftp command belongs to:
>>
>> which sftp
>> rpm -qf /usr/bin/sftp
>> rpm -qf /usr/bin/ssh
>>
>> They should belong to the same package.
>>
>> Yum update shows me there are no packages marked for update.
>> Yes, the locations are the same for sftp and ssh, but not sshd.
>> Not sure if that makes a difference with the sshd not being in a
>> similar path location as the other two.
>
> That should be in /usr/sbin/sshd - that's run as root by the system,
> not by users.
>
>> But they all 3 are showing to belong to the same package.
<snip>
> Oh, two other things: first, is selinux enabled (enter getenforce)?
> Second, if you answered this, I've forgotten, but if the three users
> have actual directories where they're supposed to be, what is the
> ownership and permission of the home directories and those under them?
> They should be owned by the user, the group whatever all the other
> normal users are, and permissions should *probably* be rwx------, or rwxr-x---, or rwxr-xr-x.
>
>>Oh, two other things: first, is selinux enabled (enter getenforce)?
>
> Checked and it is enforced
<snip>
AAAARRRRGHGHGHGHGHGHGHH!!!!!!!!!!!!
Ok, a *whole* new problem, which maybe throws everything else out the window.
Look at their home directories again, but this time do ll -Z /var/www/whatever. Betcha they're something like unconfined_t, or default_t, or maybe even not labeled. Check /var/log/messages for sealert messages. And if you *don't* have any, then you need to see if
setroubleshoot\* is installed. If not, install them (server and plugins), and make sure auditd is on. Then you'll see complaints. Run what's in messages, which will be of the form "setroubleshoot: SELinux is preventing /usr/bin/updatedb from read access on the directory /public/apps/.gem. For complete SELinux messages. run sealert -l 20085a91-0ea5-4794-a7c8-b6e975c27ed4". Run the sealert, and *maybe* the message will be helpful. It's sometimes only barely, to me, and I've been fighting to shut selinux up in the logs for years now.
If you thought *Nix sysadmin was complicated, wait till you begin to look at selinux (which, btw, was written by the NSA, for real).
mark
-----------
Mark,
It shows the following:
user_u:object_r:httpd_sys_content_t:s0
so no unconfined_t or default_t
There is no 'sealert' messages inside the message log.
'setroubleshoot' is not installed. It says there are 23 packages to install if I install it....if that okay?
I don't want to cause any additional problems on the system right now.
Constance
More information about the redhat-list
mailing list