[Discuss] selinux nightmare

Chuck Anderson cra at WPI.EDU
Sun Sep 28 18:55:42 EDT 2014 

On Sun, Sep 28, 2014 at 04:25:06PM -0400, Stephen Adler wrote:
> P.S. this is the kind of stuff I'm confronting....
> 
> [root at mipdata0 ~]#  sealert -l dd884c85-199f-49c5-b44c-a595ce3cec43
> SELinux is preventing /usr/bin/python2.7 from read access on the lnk_file .

First, I recommend reading Dan Walsh's blog.  Every time someone asks
a question on a mailing list, he writes a blog entry with the answer:

http://danwalsh.livejournal.com/

A couple general points:

- Use a distro that ships with SELinux enabled by default.  Chances
  are most standard things will work out of the box.

- If you were using Permissive mode or disabled SELinux completely on
  an install, it is imperative that you do an SELinux relabel after
  re-enabling SELinux.  In some cases, you may need to enable SELinux
  in Permissive mode in order to boot far enough to run the relabel.
  In Fedora/Red Hat, you can trigger a relabel by doing:

  touch /.autorelabel

  and rebooting.

- You will have the fewest problems if you stick to the standard
  directory locations for various files.  E.g. /var/www for web stuff.
  That isn't to say you can put things other places, but if you do you
  may need to adjust policy with e.g. semanage fcontext.  To see all
  the directory locations and what SELinux labels are applied to them,
  look here:

  /etc/selinux/targeted/contexts/files

- If you move files rather than copying them from e.g. /home to
  /var/www, you will need to relabel them, e.g.:

  restorecon -R /var/www/html/foo

  This is because moved files keep their same file context, whereas
  copied files or newly created files inherit their file context from
  the parent directory they are created in.

- If you are using non-packaged (self-compiled or third-party
  downloaded) software or software that isn't distributed as part of
  the distribution's normal install/update repositories, you may have
  more problems depending on whether that software is using standard
  FHS directory locations, etc.  Again, you can adjust policy to
  handle these cases, but the path of least resistance is to avoid it.

More information about the Discuss mailing list