[Spacewalk-list] SELinux with spacewalk

Andy Ingham andy.ingham at duke.edu
Thu Jan 23 19:12:58 UTC 2014 

One lingering issue is that the Monitoring functionality is not entirely
happy with SELinux.  I suspect it has something to do with the contexts
that the processes are running in.

>From my server:

$ ps -aefZ | grep nocpul

unconfined_u:system_r:initrc_t:s0 root   19497     1  0 14:03 pts/0
00:00:00 /usr/bin/perl /usr/bin/gogo.pl --fname=NotifEscalator
--user=nocpulse --hbfile=/var/log/nocpulse/notif-escalator.log
--hbfreq=300 --hbcheck=600 -- /usr/bin/notif-escalator
unconfined_u:system_r:initrc_t:s0 nocpulse 19498 19497  0 14:03 pts/0
00:00:00 /usr/bin/perl /usr/bin/gogo.pl --fname=NotifEscalator
--user=nocpulse --hbfile=/var/log/nocpulse/notif-escalator.log
--hbfreq=300 --hbcheck=600 -- /usr/bin/notif-escalator
unconfined_u:system_r:initrc_t:s0 nocpulse 19499 19498  0 14:03 pts/0
00:00:00 /usr/bin/perl /usr/bin/notif-escalator


>From the documentation at
https://fedorahosted.org/spacewalk/wiki/Features/SELinux (under
"Monitoring" heading):

root:system_r:spacewalk_monitoring_t root 1861  0.0  0.1  14596  1500
pts/2    S    12:06   0:00 /usr/bin/perl /usr/bin/gogo.pl
--fname=GenerateNotifConfig --us
root:system_r:spacewalk_monitoring_t nocpulse 1862 0.0  0.2 14596 2460
pts/2   S    12:06   0:00 /usr/bin/perl /usr/bin/gogo.pl
--fname=GenerateNotifConfig --us
root:system_r:spacewalk_monitoring_t nocpulse 1863 0.0  2.1 107412 20240
pts/2 S    12:06   0:00 /usr/bin/perl /usr/bin/generate-config




I'm guessing that my various monitoring processes should be running with
"root:system_r:spacewalk_monitoring_t" instead of
"unconfined_u:system_r:initrc_t:s0".  How do I resolve that?

(I already have the "spacewalk-monitoring-selinux" RPM installed!)


Thanks in advance!

Andy


On 1/23/14 1:00 PM, "Andy Ingham" <andy.ingham at duke.edu> wrote:

I've revisited my non-standard /var/satellite setup and have learned a lot
more about SELinux to boot.

I have a few remaining errors to double-check, but believe I'm at the
point where SELinux will work properly with my spacewalk.

Thanks, everyone!

Andy

On 1/16/14 4:29 AM, "Michael Mraka" <michael.mraka at redhat.com> wrote:

Andy Ingham wrote:
% Thanks, Michael and Jan, for your responses.
% 
% I currently have SELinux in 'permissive' mode and have been reviewing the
% 'sealert -a audit.log' output periodically.
% 
% Thanks to your confirmation, I'm fairly certain now that the issues I'm
% seeing are related to a non-standard setup I've got with the
% /var/satellite filesystem.

If your data subtree is /somewhere/else instead of standard /var/satellite
use

        semanage fcontext -a -e /var/satellite /somewhere/else

to fix it (see man semanage).


% May be one more reason for me to revisit my current (non-standard) setup.
% 
% Andy


Regards,

--
Michael Mráka
Satellite Engineering, Red Hat

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list