[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] selinux nightmare
- Subject: [Discuss] selinux nightmare
- From: adler at stephenadler.com (Stephen Adler)
- Date: Sun, 28 Sep 2014 22:23:21 -0400
- In-reply-to: <20140928225541.GL15839@angus.ind.WPI.EDU>
- References: <54286EA2.email@example.com> <20140928225541.GL15839@angus.ind.WPI.EDU>
On 09/28/2014 06:55 PM, Chuck Anderson wrote: > On Sun, Sep 28, 2014 at 04:25:06PM -0400, Stephen Adler wrote: >> P.S. this is the kind of stuff I'm confronting.... >> >> [root at mipdata0 ~]# sealert -l dd884c85-199f-49c5-b44c-a595ce3cec43 >> SELinux is preventing /usr/bin/python2.7 from read access on the lnk_file . > First, I recommend reading Dan Walsh's blog. Every time someone asks > a question on a mailing list, he writes a blog entry with the answer: > > http://danwalsh.livejournal.com/ > > A couple general points: > > - Use a distro that ships with SELinux enabled by default. Chances > are most standard things will work out of the box. > > - If you were using Permissive mode or disabled SELinux completely on > an install, it is imperative that you do an SELinux relabel after > re-enabling SELinux. In some cases, you may need to enable SELinux > in Permissive mode in order to boot far enough to run the relabel. > In Fedora/Red Hat, you can trigger a relabel by doing: > > touch /.autorelabel > > and rebooting. > > - You will have the fewest problems if you stick to the standard > directory locations for various files. E.g. /var/www for web stuff. > That isn't to say you can put things other places, but if you do you > may need to adjust policy with e.g. semanage fcontext. To see all > the directory locations and what SELinux labels are applied to them, > look here: > > /etc/selinux/targeted/contexts/files > > - If you move files rather than copying them from e.g. /home to > /var/www, you will need to relabel them, e.g.: > > restorecon -R /var/www/html/foo > > This is because moved files keep their same file context, whereas > copied files or newly created files inherit their file context from > the parent directory they are created in. > > - If you are using non-packaged (self-compiled or third-party > downloaded) software or software that isn't distributed as part of > the distribution's normal install/update repositories, you may have > more problems depending on whether that software is using standard > FHS directory locations, etc. Again, you can adjust policy to > handle these cases, but the path of least resistance is to avoid it. > _______________________________________________ > Discuss mailing list > Discuss at blu.org > http://lists.blu.org/mailman/listinfo/discuss > Thanks, this is very helpful. Cheers. Steve.