Sorry, resending this to the list... Sent it from the wrong email
address so the original didn't post to the list.
Begin forwarded message:
From: Thomas Smith <>
Date: November 10, 2008 9:59:35 AM MST
To: Jerrad Pierce <[EMAIL PROTECTED]>
Cc: rt Users <[email protected]>
Subject: Re: [rt-users] SELinux RT/syslog problem
Hi Jerrad,
Not all programs are SELinux-aware and so can muck things up a bit
sometimes. When this happens, the best thing to do is to relabel
the filesystem. To do this, execute the following commands:
touch /.autorelabel
reboot
Keep in mind that the reboot may take a while.
If you want to see which files have an incorrect label (according
to the SELinux' policy), you can run this command:
restorecon -n -R -v /
The switches have the following meanings:
-n - Don't change any file labels. Allows you to see what will be
changed before committing to it (if you use the -v switch)--remove
the switch to relabel the affected files.
-R - Recursive.
-v - Tells "restorecon" to show which files/directories would be
changed and to what context. If you leave this switch out,
restorecon will exit silently.
It's usually wise to relabel the filesystem when installing any
software that didn't come with your distribution. This will prevent
problems like these from going unnoticed for too long.
~ Tom
On Nov 10, 2008, at 8:28 AM, Jerrad Pierce wrote:
Is anyone running RT on a box with SELinux (ES4 in my case)?
Everything's been going peachy until for some reason yesterday
things got mucked up on /dev/log and now apache/RT cannot log
to syslog, which means several functions like merging are currently
inaccessible. Anybody happen to know what the proper context is
for that file? It's currently: system_u:object_r:devlog_t and the
errors I'm getting are:
#Pre- restorecon
Nov 9 19:30:25 rt kernel: audit(1226277025.460:207): avc: denied {
write } for pid=6378 comm="httpd.worker" name="log" dev=tmpfs
ino=32795 scontext=user_u:system_r:httpd_t
tcontext=root:object_r:device_t tclass=sock_file
#Post- restorecon
Nov 9 20:23:25 rt kernel: audit(1226280205.215:999): avc: denied {
sendto } for pid=6873 comm="httpd.worker" name="log"
scontext=user_u:system_r:httpd_t tcontext=root:system_r:unconfined_t
tclass=unix_dgram_socket
I've found a few pages online with hints on how I might be able to
fix
this, but none use chcon and instead require modifying system
policies
to add:
allow httpd_t device_t:sock_file write;
allow httpd_t unconfined_t:unix_dgram_socket sendto;
Which I cannot do as the necessary tools are not installed
(and the package manager is currently out of commission).
--
Cambridge Energy Alliance: Save money. Save the planet.
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
