BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] selinux nightmare
- Subject: [Discuss] selinux nightmare
- From: cra at WPI.EDU (Chuck Anderson)
- Date: Sun, 28 Sep 2014 18:55:42 -0400
- In-reply-to: <54286EA2.9080407@stephenadler.com>
- References: <54286EA2.9080407@stephenadler.com>
On Sun, Sep 28, 2014 at 04:25:06PM -0400, Stephen Adler wrote: > P.S. this is the kind of stuff I'm confronting.... > > [root at mipdata0 ~]# sealert -l dd884c85-199f-49c5-b44c-a595ce3cec43 > SELinux is preventing /usr/bin/python2.7 from read access on the lnk_file . First, I recommend reading Dan Walsh's blog. Every time someone asks a question on a mailing list, he writes a blog entry with the answer: http://danwalsh.livejournal.com/ A couple general points: - Use a distro that ships with SELinux enabled by default. Chances are most standard things will work out of the box. - If you were using Permissive mode or disabled SELinux completely on an install, it is imperative that you do an SELinux relabel after re-enabling SELinux. In some cases, you may need to enable SELinux in Permissive mode in order to boot far enough to run the relabel. In Fedora/Red Hat, you can trigger a relabel by doing: touch /.autorelabel and rebooting. - You will have the fewest problems if you stick to the standard directory locations for various files. E.g. /var/www for web stuff. That isn't to say you can put things other places, but if you do you may need to adjust policy with e.g. semanage fcontext. To see all the directory locations and what SELinux labels are applied to them, look here: /etc/selinux/targeted/contexts/files - If you move files rather than copying them from e.g. /home to /var/www, you will need to relabel them, e.g.: restorecon -R /var/www/html/foo This is because moved files keep their same file context, whereas copied files or newly created files inherit their file context from the parent directory they are created in. - If you are using non-packaged (self-compiled or third-party downloaded) software or software that isn't distributed as part of the distribution's normal install/update repositories, you may have more problems depending on whether that software is using standard FHS directory locations, etc. Again, you can adjust policy to handle these cases, but the path of least resistance is to avoid it.
- Follow-Ups:
- [Discuss] selinux nightmare
- From: adler at stephenadler.com (Stephen Adler)
- [Discuss] selinux nightmare
- From: bill.n1vux at gmail.com (Bill Ricker)
- [Discuss] selinux nightmare
- References:
- [Discuss] selinux nightmare
- From: adler at stephenadler.com (Stephen Adler)
- [Discuss] selinux nightmare
- Prev by Date: [Discuss] selinux nightmare
- Next by Date: [Discuss] selinux nightmare
- Previous by thread: [Discuss] selinux nightmare
- Next by thread: [Discuss] selinux nightmare
- Index(es):
