SELinux semanage is missing context of unconfied_u
I'm trying to troubleshoot some 3rd party software that is having issues with SELinux on RHEL5.
On one RHEL6 server it is working and the other server, RHEL5 it is. I'm guessing because the context is off. RHEL6 Code:
rwsr-x---. root varonis unconfined_u:object_r:usr_t:s0 vrns_watchdog RHEL5 Code:
rwsr-x---. root varonis user_u:object_r:usr_t:s0 vrns_watchdog Code:
[root@server varonis]# semanage user -l Is there a way to add unconfined_u? thanks |
have you ran "audit2allow " on the error log?
and have you contacted RH support |
Quote:
I try to troubleshoot the best I can before contacting RH. I'm just wondering if anyone else has seen this? |
Not that particular one. I have seen similar differences between releases though.
But after every upgrade you really need to check/relable the system (touch ./autorelable, and reboot would do). It is also possible to do after the fact using "restorecon -R <pathname>" which will recursively check/set everything in <pathname>. The only issue here is that running processes may get cut off. For some busy systems, that can end up in a reboot anyway. The best explaination I have seen was that the labels in the filesystem are binary numbers, and between releases the security definitions may change due to new ones added/unused ones removed. This in turn changes the numbers assigned... and thus needing a pass over filesystems to update the definitions. |
Quote:
I wasn't aware that if doing this, need to run touch ./autorelabel in order to fix issues. I will make a note of this. Quote:
thanks |
Quote:
Quote:
If the new location is deemed to valid context, then the database needs to be updated, and that will preserve the desired context the next time the labels get updated. The usual case for that would be web content being put in /var/www. These SHOULD be httpd_sys_script_exec_t, httpd_sys_content_t , webalizer_rw_content_t. But moving user files into should be made httpd_sys_content_t so that they cannot be altered by actions of the web server (or the user again). It happens, but the files no longer are protected... If apache is to write on them the label needs to be httpd_sys_rw_content_t. But that is just being consistent with the compartmented design. |
Quote:
Right now I'm trying to figure out if its even an SELinux issues. Today I changed the user context to root and the software still wouldn't run. Matter of fact while troubleshooting /var/log/messages, it just stopped working...maybe its the software... I also create .autorelabel and rebooted and this didn't change the users found under semanage...maybe its the software... |
From troubleshooting this more, this is an application issue. It abruptly stops running on two of my servers, so I don't know why they would think it would be an SELinux issue.
|
All times are GMT -5. The time now is 12:13 PM. |