Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] selinux nightmare



On 09/28/2014 06:55 PM, Chuck Anderson wrote:
> On Sun, Sep 28, 2014 at 04:25:06PM -0400, Stephen Adler wrote:
>> P.S. this is the kind of stuff I'm confronting....
>>
>> [root at mipdata0 ~]#  sealert -l dd884c85-199f-49c5-b44c-a595ce3cec43
>> SELinux is preventing /usr/bin/python2.7 from read access on the lnk_file .
> First, I recommend reading Dan Walsh's blog.  Every time someone asks
> a question on a mailing list, he writes a blog entry with the answer:
>
> http://danwalsh.livejournal.com/
>
> A couple general points:
>
> - Use a distro that ships with SELinux enabled by default.  Chances
>    are most standard things will work out of the box.
>
> - If you were using Permissive mode or disabled SELinux completely on
>    an install, it is imperative that you do an SELinux relabel after
>    re-enabling SELinux.  In some cases, you may need to enable SELinux
>    in Permissive mode in order to boot far enough to run the relabel.
>    In Fedora/Red Hat, you can trigger a relabel by doing:
>
>    touch /.autorelabel
>
>    and rebooting.
>
> - You will have the fewest problems if you stick to the standard
>    directory locations for various files.  E.g. /var/www for web stuff.
>    That isn't to say you can put things other places, but if you do you
>    may need to adjust policy with e.g. semanage fcontext.  To see all
>    the directory locations and what SELinux labels are applied to them,
>    look here:
>
>    /etc/selinux/targeted/contexts/files
>
> - If you move files rather than copying them from e.g. /home to
>    /var/www, you will need to relabel them, e.g.:
>
>    restorecon -R /var/www/html/foo
>
>    This is because moved files keep their same file context, whereas
>    copied files or newly created files inherit their file context from
>    the parent directory they are created in.
>
> - If you are using non-packaged (self-compiled or third-party
>    downloaded) software or software that isn't distributed as part of
>    the distribution's normal install/update repositories, you may have
>    more problems depending on whether that software is using standard
>    FHS directory locations, etc.  Again, you can adjust policy to
>    handle these cases, but the path of least resistance is to avoid it.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>
Thanks, this is very helpful.

Cheers. Steve.




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org