LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-18-2014, 12:40 PM   #1
cowmoo32
Member
 
Registered: May 2007
Posts: 49

Rep: Reputation: 0
SELinux enforcing causing IP issues...


I have a storage server and want to enable selinux enforcing, but after turning on enforcing and rebooting, the machine is not able to obtain an IP address, and actually reports that another machine is already using its static IP, which is not the case. If I disable enforcing then everything works as it should. I've tested this on three other machines without any issues so I'm at a loss as to what the problem might be. The one difference is this machine is RHEL5 and the others I've tested on are RHEL6. Any ideas?
 
Old 03-18-2014, 01:09 PM   #2
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,979
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
What do the logs say?

Code:
sealert -a /var/log/audit/audit.log
Try forcing a relabel just for s&g

Code:
touch /.autorelabel && reboot
(NOTE: A relabel can take some time)

--C
 
Old 03-18-2014, 03:13 PM   #3
cowmoo32
Member
 
Registered: May 2007
Posts: 49

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by custangro View Post
What do the logs say?

Code:
sealert -a /var/log/audit/audit.log
Code:
# grep sealert /var/log/messages
Mar 18 14:53:55 eno setroubleshoot: [program.ERROR] exception TypeError: not all arguments converted during string formatting Traceback (most recent call last):   File "/usr/bin/sealert", line 968, in ?     do_analyze_logfile(logfile, html)   File "/usr/bin/sealert", line 824, in do_analyze_logfile     scanner.scan_file()   File "/usr/bin/sealert", line 804, in scan_file     self.analyzer.open()   File "/usr/lib/python2.4/site-packages/setroubleshoot/analyze.py", line 549, in open     log_avc.error('%s.open()', self.__class__.__name__, e.strerror)   File "/usr/lib64/python2.4/logging/__init__.py", line 999, in error     apply(self._log, (ERROR, msg, args), kwargs)   File "/usr/lib64/python2.4/logging/__init__.py", line 1079, in _log     self.handle(record)   File "/usr/lib64/python2.4/logging/__init__.py", line 1089, in handle     self.callHandlers(record)   File "/usr/lib64/python2.4/logging/__init__.py", line 1126, in callHandlers     hdlr.handle(record)   File "/usr/lib64/python2.4/logging/__init__.py", line 642, in han
[root@eno essexton]# sealert -a /var/log/audit/audit.log
Traceback (most recent call last):
  File "/usr/bin/sealert", line 982, in ?
    from setroubleshoot.gui_utils import *
  File "/usr/lib/python2.4/site-packages/setroubleshoot/gui_utils.py", line 26, in ?
    import gtk
  File "/usr/lib64/python2.4/site-packages/gtk-2.0/gtk/__init__.py", line 76, in ?
    _init()
  File "/usr/lib64/python2.4/site-packages/gtk-2.0/gtk/__init__.py", line 64, in _init
    _gtk.init_check()
RuntimeError: could not open display
Quote:
Try forcing a relabel just for s&g

Code:
touch /.autorelabel && reboot
(NOTE: A relabel can take some time)

--C
Unfortunately I can't really play around with this one because it's used for research purposes and downtime has to be scheduled pretty far in advance.
 
Old 03-18-2014, 03:22 PM   #4
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,979
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
The error you get when trying to run the analyzer is a bug and you need to update the version of setroubleshoot

Code:
yum -y update setroubleshoot
I've had a similar problem in the past and a "relabel" seemed to have fixed it. But we won't know the issue until you run that sealert command successfully.

--C
 
Old 03-18-2014, 04:21 PM   #5
cowmoo32
Member
 
Registered: May 2007
Posts: 49

Original Poster
Rep: Reputation: 0
Updated and I'm still getting the same error. I kickstarted a machine with RHEL5 just before I left this afternoon and I'm going to see if I get the same bug when I turn on enforcing, at least then I'll know if it's unique to the storage server or something with RHEL5.
Code:
================================================================================
 Package                Arch    Version             Repository             Size
================================================================================
Updating:
 setroubleshoot         noarch  2.0.5-5.el5_8.1     rhel-x86_64-server-5  134 k
Updating for dependencies:
 setroubleshoot-server  noarch  2.0.5-5.el5_8.1     rhel-x86_64-server-5  1.2 M

Transaction Summary
================================================================================
Install       0 Package(s)
Upgrade       2 Package(s)

Total download size: 1.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): setroubleshoot-2.0.5-5.el5_8.1.noarch.rpm         | 134 kB     00:00     
(2/2): setroubleshoot-server-2.0.5-5.el5_8.1.noarch.rpm  | 1.2 MB     00:00     
--------------------------------------------------------------------------------
Total                                           2.3 MB/s | 1.4 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating       : setroubleshoot-server                                    1/4 
  Updating       : setroubleshoot                                           2/4 
  Cleanup        : setroubleshoot                                           3/4 
  Cleanup        : setroubleshoot-server                                    4/4 

Updated:
  setroubleshoot.noarch 0:2.0.5-5.el5_8.1                                       

Dependency Updated:
  setroubleshoot-server.noarch 0:2.0.5-5.el5_8.1                                

Complete!
Code:
# sealert -a /var/log/audit/audit.log
Traceback (most recent call last):
  File "/usr/bin/sealert", line 982, in ?
    from setroubleshoot.gui_utils import *
  File "/usr/lib/python2.4/site-packages/setroubleshoot/gui_utils.py", line 26, in ?
    import gtk
  File "/usr/lib64/python2.4/site-packages/gtk-2.0/gtk/__init__.py", line 76, in ?
    _init()
  File "/usr/lib64/python2.4/site-packages/gtk-2.0/gtk/__init__.py", line 64, in _init
    _gtk.init_check()
RuntimeError: could not open display
edit: The display error wouldn't be caused by the fact that I'm ssh'ed in, would it?

Last edited by cowmoo32; 03-18-2014 at 04:23 PM.
 
Old 03-18-2014, 05:56 PM   #6
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,979
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
Quote:
The display error wouldn't be caused by the fact that I'm ssh'ed in, would it?
Yes, but it shouldn't matter as it should just display it on the terminal.

What does...

Code:
rpm -qa | grep setroubleshoot
...show

--C
 
Old 03-18-2014, 06:30 PM   #7
cowmoo32
Member
 
Registered: May 2007
Posts: 49

Original Poster
Rep: Reputation: 0
Code:
# rpm -qa | grep setroubleshoot
setroubleshoot-2.0.5-5.el5_8.1
setroubleshoot-plugins-2.0.4-2.el5
setroubleshoot-server-2.0.5-5.el5_8.1
And the test machine works fine with RHEL5 enforcing, so it's definitely something with this machine in particular.
 
Old 03-18-2014, 07:21 PM   #8
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,979
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
It looks like it because you have all the required pkgs and you've updated your setroubleshooter

I'd be interested when you do find the problem!


--C
 
Old 03-19-2014, 10:03 AM   #9
cowmoo32
Member
 
Registered: May 2007
Posts: 49

Original Poster
Rep: Reputation: 0
Great, I was hoping it would be something easy. I'll be sure to update when I get it figured out.
 
Old 03-19-2014, 12:52 PM   #10
cowmoo32
Member
 
Registered: May 2007
Posts: 49

Original Poster
Rep: Reputation: 0
No logs are in /var/audit. Is there anything in particular I should be looking for in /var/messages? There are logs from the day I enabled enforcing and I'm seeing all kinds of errors dealing with network issues.

edit: It appears the IP was obtained
Code:
Mar 17 10:04:47 eno avahi-daemon[4665]: Joining mDNS multicast group on interface eth2.IPv4 with address 152.1.XX.XXX.
Mar 17 10:04:48 eno avahi-daemon[4665]: Network interface enumeration completed.
Mar 17 10:04:48 eno avahi-daemon[4665]: Registering new address record for fe80::a6ba:dbff:fe1d:3e89 on eth2.
Mar 17 10:04:48 eno avahi-daemon[4665]: Registering new address record for 152.1.XX.XXX on eth2.
Mar 17 10:04:48 eno avahi-daemon[4665]: Registering HINFO record with values 'X86_64'/'LINUX'.
Mar 17 10:04:48 eno avahi-daemon[4665]: Server startup complete. Host name is eno.local.

But then I get errors about losing connection to our AFS servers
Code:
Mar 17 10:06:03 eno kernel: afs: Lost contact with file server 152.1.XXX.XXX in cell afsname (all multi-homed ip addresses down for the server)
Mar 17 10:06:03 eno kernel: afs: Lost contact with file server  152.1.XXX.XXX in cell afsname (all multi-homed ip addresses down for the server)

Last edited by cowmoo32; 03-19-2014 at 01:00 PM.
 
Old 03-20-2014, 01:06 PM   #11
cowmoo32
Member
 
Registered: May 2007
Posts: 49

Original Poster
Rep: Reputation: 0
After doing some reading I'm wondering if it has something to do with the boolean options. custangro, does anything come to mind that might be blocking network traffic?
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

edit:
Code:
#getsebool -a

NetworkManager_disable_trans --> off
aisexec_disable_trans --> off
allow_aisexec_rw_tmpfs --> off
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
allow_daemons_use_tty --> on
allow_domain_fd_use --> on
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> on
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_gpg_execstack --> off
allow_gssd_read_tmp --> on
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_cvs_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
allow_java_execstack --> off
allow_kerberos --> on
allow_mount_anyfile --> off
allow_mounton_anydir --> on
allow_mplayer_execstack --> off
allow_nfsd_anon_write --> off
allow_polyinstantiation --> off
allow_postfix_local_write_mail_spool --> off
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_saslauthd_read_shadow --> off
allow_smbd_anon_write --> off
allow_ssh_keysign --> off
allow_tftp_anon_write --> off
allow_unconfined_execmem_dyntrans --> off
allow_unconfined_mmap_low --> on
allow_unlabeled_packets --> on
allow_user_mysql_connect --> off
allow_write_xshm --> off
allow_ypbind --> off
allow_zebra_write_config --> on
amanda_disable_trans --> off
amavis_disable_trans --> off
apmd_disable_trans --> off
arpwatch_disable_trans --> off
auditd_disable_trans --> off
automount_disable_trans --> off
avahi_disable_trans --> off
bluetooth_disable_trans --> off
canna_disable_trans --> off
cardmgr_disable_trans --> off
ccs_disable_trans --> off
cdrecord_read_content --> off
clamd_disable_trans --> off
clamscan_disable_trans --> off
clogd_disable_trans --> off
clvmd_disable_trans --> off
comsat_disable_trans --> off
cron_can_relabel --> off
crond_disable_trans --> off
cupsd_config_disable_trans --> off
cupsd_disable_trans --> off
cupsd_lpd_disable_trans --> off
cvs_disable_trans --> off
cyrus_disable_trans --> off
dbskkd_disable_trans --> off
dccd_disable_trans --> off
dccifd_disable_trans --> off
dccm_disable_trans --> off
dhcpc_disable_trans --> off
dhcpc_exec_iptables --> off
dhcpd_disable_trans --> off
disable_evolution_trans --> off
disable_games_trans --> off
disable_mozilla_trans --> off
disable_thunderbird_trans --> off
dkim_milter_disable_trans --> off
dlm_controld_disable_trans --> off
dnsmasq_disable_trans --> off
dovecot_disable_trans --> off
fcron_crond --> off
fenced_can_network_connect --> off
fenced_disable_trans --> off
fetchmail_disable_trans --> off
fingerd_disable_trans --> off
freshclam_disable_trans --> off
fsdaemon_disable_trans --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
gfs_controld_disable_trans --> off
global_ssp --> off
gpm_disable_trans --> off
greylist_milter_disable_trans --> off
groupd_disable_trans --> off
gssd_disable_trans --> off
hald_disable_trans --> off
hotplug_disable_trans --> off
howl_disable_trans --> off
hplip_disable_trans --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
inetd_child_disable_trans --> off
inetd_disable_trans --> off
innd_disable_trans --> off
ipsec_disable_trans --> off
irqbalance_disable_trans --> off
iscsid_disable_trans --> off
kadmind_disable_trans --> off
klogd_disable_trans --> off
kpropd_disable_trans --> off
krb5kdc_disable_trans --> off
ktalkd_disable_trans --> off
lpd_disable_trans --> off
mail_read_content --> off
mailman_mail_disable_trans --> off
mdadm_disable_trans --> off
mozilla_read_content --> off
mysqld_disable_trans --> off
nagios_disable_trans --> off
named_disable_trans --> off
named_write_master_zones --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nfsd_disable_trans --> off
nmbd_disable_trans --> off
nrpe_disable_trans --> off
nscd_disable_trans --> off
ntpd_disable_trans --> off
oddjob_disable_trans --> off
oddjob_mkhomedir_disable_trans --> off
openvpn_disable_trans --> off
openvpn_enable_homedirs --> off
pcscd_disable_trans --> off
pegasus_disable_trans --> off
piranha_fos_disable_trans --> off
piranha_lvs_can_network_connect --> off
piranha_lvs_disable_trans --> off
piranha_pulse_disable_trans --> off
piranha_web_disable_trans --> off
portmap_disable_trans --> off
postfix_disable_trans --> off
postgresql_disable_trans --> off
postgrey_disable_trans --> off
pppd_can_insmod --> off
pppd_disable_trans --> off
pppd_for_user --> off
pptp_disable_trans --> off
prelude_audisp_disable_trans --> off
prelude_disable_trans --> off
prelude_lml_disable_trans --> off
privoxy_connect_any --> off
privoxy_disable_trans --> off
ptal_disable_trans --> off
pyzord_disable_trans --> off
qdiskd_disable_trans --> off
qemu_full_network --> on
qemu_use_cifs --> on
qemu_use_comm --> off
qemu_use_nfs --> on
qemu_use_usb --> on
racoon_disable_trans --> off
racoon_read_shadow --> off
radiusd_disable_trans --> off
radvd_disable_trans --> off
rdisc_disable_trans --> off
read_default_t --> on
read_untrusted_content --> off
readahead_disable_trans --> off
regex_milter_disable_trans --> off
restorecond_disable_trans --> off
rgmanager_can_network_connect --> off
rgmanager_disable_trans --> off
rhgb_disable_trans --> off
rhsmcertd_disable_trans --> off
ricci_disable_trans --> off
ricci_modclusterd_disable_trans --> off
rlogind_disable_trans --> off
rpcd_disable_trans --> off
rshd_disable_trans --> off
rsync_client --> off
rsync_disable_trans --> off
rsync_export_all_ro --> off
run_ssh_inetd --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_share_fusefs --> off
samba_share_nfs --> off
saslauthd_disable_trans --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
setrans_disable_trans --> off
setroubleshootd_disable_trans --> off
slapd_disable_trans --> off
smbd_disable_trans --> off
snmpd_disable_trans --> off
spamass_milter_disable_trans --> off
spamassassin_can_network --> off
spamd_disable_trans --> off
spamd_enable_home_dirs --> on
squid_connect_any --> off
squid_disable_trans --> off
ssh_sysadm_login --> off
sssd_disable_trans --> off
staff_read_sysadm_file --> off
stunnel_disable_trans --> off
stunnel_is_daemon --> off
swat_disable_trans --> off
syslogd_disable_trans --> off
tcpd_disable_trans --> off
telnetd_disable_trans --> off
tftpd_disable_trans --> off
tzdata_disable_trans --> off
udev_disable_trans --> off
use_lpd_server --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
user_direct_mouse --> off
user_dmesg --> off
user_net_control --> off
user_ping --> on
user_rw_noexattrfile --> off
user_tcp_server --> off
user_ttyfile_stat --> off
uucpd_disable_trans --> off
vhostmd_disable_trans --> off
virt_use_comm --> off
virt_use_fusefs --> off
virt_use_nfs --> off
virt_use_samba --> off
virt_use_sysfs --> off
virt_use_usb --> on
virtd_disable_trans --> off
winbind_disable_trans --> off
write_untrusted_content --> off
xdm_disable_trans --> off
xdm_sysadm_login --> off
xend_disable_trans --> off
xfs_disable_trans --> off
xm_disable_trans --> off
ypbind_disable_trans --> off
yppasswdd_disable_trans --> off
ypserv_disable_trans --> off
ypxfr_disable_trans --> off
zarafa_deliver_disable_trans --> off
zarafa_gateway_disable_trans --> off
zarafa_ical_disable_trans --> off
zarafa_indexer_disable_trans --> off
zarafa_monitor_disable_trans --> off
zarafa_server_disable_trans --> off
zarafa_spooler_disable_trans --> off
zebra_disable_trans --> off

Last edited by cowmoo32; 03-20-2014 at 01:12 PM.
 
Old 03-20-2014, 02:07 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread is being closed because it is a duplicate (or prequel to) https://www.linuxquestions.org/quest...ty-4175498868/.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is x.org more isolated on a system with Selinux enabled in enforcing mode? mysteron Linux - Security 1 02-02-2014 09:26 AM
selinux enforcing mode preventing download of file ginda Linux - Server 12 01-25-2012 04:01 PM
nagios - SELINUX [enforcing mode ] fritz001 Linux - Networking 6 01-12-2012 05:38 PM
Mysqld won't start with Selinux enforcing turned on jdnow09 Linux - General 3 06-24-2009 02:37 PM
Apache/PHP problems with Selinux enforcing.... maxie_fc3 Fedora 0 01-11-2005 08:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration