P.S. - RE: [redhat-list] updates pending question

m.roth at 5-cent.us m.roth at 5-cent.us
Fri May 10 18:30:17 UTC 2013 

Constance   Morris wrote:
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
> Sent: Friday, May 10, 2013 1:43 PM
> Constance   Morris wrote:
>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
>> Constance   Morris wrote:
>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
>>> Constance   Morris wrote:
>>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Alfred
<snip>
>> If you thought *Nix sysadmin was complicated, wait till you begin to
>> look at selinux (which, btw, was written by the NSA, for real).
>>
>> It shows the following:
>> user_u:object_r:httpd_sys_content_t:s0
>
> Ok, that *should* work.
>>
>> so no unconfined_t or default_t
>>
>> There is no 'sealert' messages inside the message log.
>>
>> 'setroubleshoot' is not installed. It says there are 23 packages to
>> install if I install it....if that okay?
>> I don't want to cause any additional problems on the system right now.
>
> Install it, last week if not sooner. If you've got selinux enabled, and
> you don't have that, you're asking for a world of hurt, things like random
> denials or failures with no idea why.
>
> Are there entries in /var/log/audit/audit.log? Is auditd running?
>
> Okay - installing it now.......complete.
> Yes, looks like this in /var/log/audit/audit.log  :
>
> type=CRYPTO_SESSION msg=audit(1368206600.135:1549): user pid=12527 uid=0
> auid=618 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='op=start
> direction=from-server cipher=aes256-ctr ksize=256 rport=53503
> laddr=168.30.232.48 lport=22 id=4294967295 exe="/usr/sbin/sshd"
> (hostname=?, addr=168.30.169.40, terminal=? res=success)'

Ignore that. The only thing you care about are AVC's - selinux denials.
Now that all is running, you'll see them as messages in /var/log/messages,
that will tell you to run sealert, which will try to make the reasons
clearer and offer solutions. Hint: DO NOT always create a local policy;
mostly, it's setting booleans (setsebool and getsebool -a are the commands
you'll need), or fixing the role and type contexts with chcon or semanage
fcontext -a -[tr] whatever, then restoreconl semanage gives examples on
the manpage. And their regular expression is deeply different than the
usual.

Back to your original problem: seriously, you or your counterpart may need
to walk over to the user's offices and sit with them as they log onto
their workstations and get ready to publish, then interrupt, and go
through the configuration (menu, options or whatever), and see if those
are pointing correctly.

        mark

More information about the redhat-list mailing list