please try SELinux again

Bob Gustafson bobgus at rcn.com
Mon Sep 20 05:25:54 UTC 2004 

I too was discouraged at the trailing edge development of SELinux and had
it disabled for a few months.

However, after getting my system up2date as they say, and doing a 'fixfiles
relabel' in single user mode, and running selinuxtype=targeted, it seems to
be running fairly well. I am running httpd with no problems.

doing 'tail -2000 /var/log/messages | grep audit' shows no lines.

BobG

On Sun, 19 Sep 2004 18:32:25 -0500 (CDT). Brian Millett wrote:
>Ok, I used the system-config-securitylevel to turn on the SELinux
>security.  But I noticed a BAD side affect.  I am using a custom iptables,
>Using the securitylevel tool turned off the iptables by deleteing the
>/etc/sysconfig/iptables file. Good thing for backups :-).
>
>So how do I use the securitylevel tool without touching iptables?
>
>Can't.
>
>Too bad because after turning on SELinux, httpd will not start.  I get the
>following error:
>
>Starting httpd: Syntax error on line 68 of /etc/httpd/conf.d/ssl.conf:
>SSLRandomSeed: source path '/dev/urandom' does not exist
>                                                           [FAILED]
>Ok, so what does /var/log/messages say.... Nothing because for some
>reason, nothing is being logged.
>
>If I go to tty1 and try it, I get abunch of the following trace messages:
>
>audit(1095634287.733:0): avc:  denied  { read write } for  pid=10192
>exe=/sbin/minilogd name=tty2 dev=tmpfs ino=1566
>scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
>tclass=chr_file
>audit(1095634287.733:0): avc:  denied  { read write } for  pid=10192
>exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
>scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
>tclass=chr_file
>audit(1095634287.733:0): avc:  denied  { read write } for  pid=10192
>exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
>scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
>tclass=chr_file
>audit(1095634287.734:0): avc:  denied  { read write } for  pid=10192
>exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
>scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
>tclass=chr_file
>audit(1095634287.734:0): avc:  denied  { search } for  pid=10192
>exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
>tcontext=user_u:object_r:tmpfs_t tclass=dir
>audit(1095634287.735:0): avc:  denied  { search } for  pid=10192
>exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
>tcontext=user_u:object_r:tmpfs_t tclass=dir
>audit(1095634287.742:0): avc:  denied  { search } for  pid=10192
>exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
>tcontext=user_u:object_r:tmpfs_t tclass=dir
>audit(1095634287.754:0): avc:  denied  { read write } for  pid=10194
>exe=/sbin/minilogd name=tty2 dev=tmpfs ino=1566
>scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
>tclass=chr_file
>audit(1095634287.762:0): avc:  denied  { read write } for  pid=10194
>exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
>scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
>tclass=chr_file
>audit(1095634287.771:0): avc:  denied  { read write } for  pid=10194
>exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
>scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
>tclass=chr_file
>audit(1095634287.779:0): avc:  denied  { read write } for  pid=10194
>exe=/sbin/minilogd path=/dev/null dev=tmpfs ino=974
>scontext=root:system_r:syslogd_t tcontext=user_u:object_r:tmpfs_t
>tclass=chr_file
>audit(1095634287.787:0): avc:  denied  { search } for  pid=10194
>exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
>tcontext=user_u:object_r:tmpfs_t tclass=dir
>audit(1095634287.795:0): avc:  denied  { search } for  pid=10194
>exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
>tcontext=user_u:object_r:tmpfs_t tclass=dir
>audit(1095634287.803:0): avc:  denied  { search } for  pid=10194
>exe=/sbin/minilogd dev=tmpfs ino=972 scontext=root:system_r:syslogd_t
>tcontext=user_u:object_r:tmpfs_t tclass=dir
>
>
>So to get httpd to work, I need to reinvoke the securitylevel gui and
>select transition->Disable Selinux protection for httpd daemon
>
>So, if you count not being able to run httpd and no system logs, it is
>going ok.
>--
>Brian Millett
>Enterprise Consulting Group  "Shifts in paradigms
>(314) 205-9030           often cause nose bleeds."
>bpmATec-groupDOTcom                     Greg Glenn
>
>
>
>
>--
>fedora-devel-list mailing list
>fedora-devel-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-devel-list

More information about the devel mailing list