LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-24-2013, 08:11 PM   #1
cbtshare
Member
 
Registered: Jul 2009
Posts: 619

Rep: Reputation: 42
selinux issues


I am on centos 6 ,I have enabled selinux and also installed setroubleshoot

yum install setroubleshoot which install all the necessary packages for sealert.

I am having some issues with sealert not giving me reports on things selinux are blocking.Example, when I access webpages, I get forbidden error, and if I put selinux in permissive state the webpage works.

So the issue is that sealert is not reporting, how can I get it to work? I know it is a useful tool because I have used it before. sample errors are :


Aug 24 13:22:02 k5fdf kernel: type=1400 audit(1377364922.707:390): avc: denied { search } for pid=3768 comm="httpd" name="k5fdf" dev=xvda2 ino=7077892 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:user_home_dir_t:s0 tclass=dir
Aug 24 13:22:02 k5fdf kernel: type=1400 audit(1377364922.707:391): avc: denied { getattr } for pid=3768 comm="httpd" path="/home/k5fdf" dev=xvda2 ino=7077892 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:user_home_dir_t:s0 tclass=dir



Quote:
ps -aux | grep setroubleshoo
td
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
root 10264 0.0 0.0 103244 840 pts/3 S+ 14:01 0:00 grep setroubleshootd
root 29076 0.0 7.1 420684 136892 ? Sl 09:32 0:04 /usr/bin/python -Es /usr/sbin/setroubleshootd -f

Last edited by cbtshare; 08-24-2013 at 08:39 PM.
 
Old 08-24-2013, 09:44 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Code:
echo 'Aug 24 13:22:02 k5fdf kernel: type=1400 audit(1377364922.707:390): avc:  denied  { search } for  pid=3768 comm="httpd" name="k5fdf" dev=xvda2 ino=7077892 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Aug 24 13:22:02 k5fdf kernel: type=1400 audit(1377364922.707:391): avc:  denied  { getattr } for  pid=3768 comm="httpd" path="/home/k5fdf" dev=xvda2 ino=7077892 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir'|audit2allow
gives
Code:
#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     httpd_read_user_content, httpd_enable_homedirs

allow httpd_t user_home_dir_t:dir { search getattr };
so what does
Code:
getsebool -a|egrep "http.*(content|homedir)"
say?
 
Old 08-25-2013, 12:30 PM   #3
cbtshare
Member
 
Registered: Jul 2009
Posts: 619

Original Poster
Rep: Reputation: 42
that gives :

getsebool -a|egrep "http.*(content|homedir)"
httpd_enable_homedirs --> off
httpd_read_user_content --> off

Added steps:

I also removed
Quote:
yum remove setroubleshoot*
and reinstalled after I relabeled the system.Still get selinux errors but nothing being reported in /var/log/audit/audit.log , but I get the errors in /var/log/messages

Quote:
ug 24 13:22:02 k5fdf kernel: type=1400 audit(1377364922.707:390): avc: denied { search } for pid=3768 comm="httpd" name="k5fdf" dev=xvda2 ino=7077892 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_
All in All

I know how to fix the issue, but I dont know how to get sealert working.
If I issue the command,
Quote:
chcon -R --reference=/var/www/html /home/folder2
the website works,but I get no notification in sealert.

Last edited by cbtshare; 08-25-2013 at 12:52 PM.
 
Old 08-25-2013, 01:25 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
If unsure it would be better to first ask because removing and re-installing software is not the "right" approach for Linux applications and often an exercise in futility. Enable httpd_enable_homedirs and httpd_read_user_content (see 'man setsebool') then try accessing resources again.
 
Old 08-25-2013, 06:16 PM   #5
cbtshare
Member
 
Registered: Jul 2009
Posts: 619

Original Poster
Rep: Reputation: 42
Thank you your responses...but as i said in my last post,the issue is not just to get my website to work with selinux enabled,but to get sealert working.I know how to get the website working by issuing the chcon --reference command.I just want to get sealert to report selinux blocking the site because thelabels are not correct orsome warning,which is none now
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Permissions issues with pam_mkhomedir.so when SELinux set to enforce manyrootsofallevil Linux - Server 4 03-16-2011 07:15 PM
Issues with selinux Rodnower Linux - Security 7 08-14-2010 01:38 PM
SELinux issues with Samba samohn Linux - Newbie 1 11-25-2008 04:38 PM
Issues with selinux? JungleNut Linux - Security 2 11-02-2006 10:11 PM
security, desktop, selinux, samba issues ciscohead Fedora 1 01-07-2006 06:14 PM


All times are GMT -5. The time now is 08:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration