selinux issues
I am on centos 6 ,I have enabled selinux and also installed setroubleshoot
yum install setroubleshoot which install all the necessary packages for sealert. I am having some issues with sealert not giving me reports on things selinux are blocking.Example, when I access webpages, I get forbidden error, and if I put selinux in permissive state the webpage works. So the issue is that sealert is not reporting, how can I get it to work? I know it is a useful tool because I have used it before. sample errors are : Aug 24 13:22:02 k5fdf kernel: type=1400 audit(1377364922.707:390): avc: denied { search } for pid=3768 comm="httpd" name="k5fdf" dev=xvda2 ino=7077892 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir Aug 24 13:22:02 k5fdf kernel: type=1400 audit(1377364922.707:391): avc: denied { getattr } for pid=3768 comm="httpd" path="/home/k5fdf" dev=xvda2 ino=7077892 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir Quote:
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ root 10264 0.0 0.0 103244 840 pts/3 S+ 14:01 0:00 grep setroubleshootd root 29076 0.0 7.1 420684 136892 ? Sl 09:32 0:04 /usr/bin/python -Es /usr/sbin/setroubleshootd -f |
Code:
echo 'Aug 24 13:22:02 k5fdf kernel: type=1400 audit(1377364922.707:390): avc: denied { search } for pid=3768 comm="httpd" name="k5fdf" dev=xvda2 ino=7077892 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir Code:
#============= httpd_t ============== Code:
getsebool -a|egrep "http.*(content|homedir)" |
that gives :
getsebool -a|egrep "http.*(content|homedir)" httpd_enable_homedirs --> off httpd_read_user_content --> off Added steps: I also removed Quote:
Quote:
I know how to fix the issue, but I dont know how to get sealert working. If I issue the command, Quote:
|
If unsure it would be better to first ask because removing and re-installing software is not the "right" approach for Linux applications and often an exercise in futility. Enable httpd_enable_homedirs and httpd_read_user_content (see 'man setsebool') then try accessing resources again.
|
Thank you your responses...but as i said in my last post,the issue is not just to get my website to work with selinux enabled,but to get sealert working.I know how to get the website working by issuing the chcon --reference command.I just want to get sealert to report selinux blocking the site because thelabels are not correct orsome warning,which is none now
|
All times are GMT -5. The time now is 07:13 AM. |