[Discuss] selinux nightmare

Stephen Adler adler at stephenadler.com
Sun Sep 28 22:23:21 EDT 2014 

On 09/28/2014 06:55 PM, Chuck Anderson wrote:
> On Sun, Sep 28, 2014 at 04:25:06PM -0400, Stephen Adler wrote:
>> P.S. this is the kind of stuff I'm confronting....
>>
>> [root at mipdata0 ~]#  sealert -l dd884c85-199f-49c5-b44c-a595ce3cec43
>> SELinux is preventing /usr/bin/python2.7 from read access on the lnk_file .
> First, I recommend reading Dan Walsh's blog.  Every time someone asks
> a question on a mailing list, he writes a blog entry with the answer:
>
> http://danwalsh.livejournal.com/
>
> A couple general points:
>
> - Use a distro that ships with SELinux enabled by default.  Chances
>    are most standard things will work out of the box.
>
> - If you were using Permissive mode or disabled SELinux completely on
>    an install, it is imperative that you do an SELinux relabel after
>    re-enabling SELinux.  In some cases, you may need to enable SELinux
>    in Permissive mode in order to boot far enough to run the relabel.
>    In Fedora/Red Hat, you can trigger a relabel by doing:
>
>    touch /.autorelabel
>
>    and rebooting.
>
> - You will have the fewest problems if you stick to the standard
>    directory locations for various files.  E.g. /var/www for web stuff.
>    That isn't to say you can put things other places, but if you do you
>    may need to adjust policy with e.g. semanage fcontext.  To see all
>    the directory locations and what SELinux labels are applied to them,
>    look here:
>
>    /etc/selinux/targeted/contexts/files
>
> - If you move files rather than copying them from e.g. /home to
>    /var/www, you will need to relabel them, e.g.:
>
>    restorecon -R /var/www/html/foo
>
>    This is because moved files keep their same file context, whereas
>    copied files or newly created files inherit their file context from
>    the parent directory they are created in.
>
> - If you are using non-packaged (self-compiled or third-party
>    downloaded) software or software that isn't distributed as part of
>    the distribution's normal install/update repositories, you may have
>    more problems depending on whether that software is using standard
>    FHS directory locations, etc.  Again, you can adjust policy to
>    handle these cases, but the path of least resistance is to avoid it.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>
Thanks, this is very helpful.

Cheers. Steve.

More information about the Discuss mailing list