Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Robert Moskowitz 



On 12/28/2016 06:33 PM, Greg Cornell wrote:

On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz" 
 wrote:

On 12/28/2016 06:13 PM, Greg Cornell wrote:

On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" 
 wrote:



On 12/28/2016 06:05 PM, J Martin Rushton wrote:

On 28/12/16 21:24, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 03:32 PM, J Martin Rushton wrote:

On 28/12/16 20:11, Robert Moskowitz wrote:

On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz

wrote:

Which is why I wonder if there is some different config for the
C7.3
version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in
/var/log/audit/audit.log?

Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions
will
be allowed


So something may well not be right with my SELinux.


Bang. I would suggest, at this point, that you might want to set
selinux
into permissive mode, so you'll get the error messages from it, and
can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.

Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on
this image.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:

No GUI in the base image.  And on arm, we tend to use Xfce.


# /usr/bin/python -Es /usr/bin/sealert -s

no sealert bin file, so it is off to install it.


It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.

I have never had it make useful suggestions to my on my notebook, but we
will see...

so here is what happens after I install it:

# /usr/bin/python -Es /usr/bin/sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
  File "/usr/bin/sealert", line 651, in 
import gtk
ImportError: No module named gtk

If it needs a GUI, then that won't work here.  Headless system.


Nahh... you want to instal setroubleshoot.

  mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Sorry, missed the no GUI if it was mentioned earlier.

Never mentioned it.  I have not checked to see what GUI has been ported
to try and load something.  I *DO* use Xfce with Fedora-arm systems.
But I would have to hook this little server up to such.


You _might_ get away with ssh -Y from a workstation but you might end up 
wasting time.
No guarantees I'm afraid. :-) Martin

Yeah, ssh -Y can be such fun with a headless system.

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Greg Cornell 
On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz" 
 wrote:

On 12/28/2016 06:13 PM, Greg Cornell wrote:
> On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" 
>  wrote:
>
>
>
> On 12/28/2016 06:05 PM, J Martin Rushton wrote:
>> On 28/12/16 21:24, m.r...@5-cent.us wrote:
>>> Robert Moskowitz wrote:
 On 12/28/2016 03:32 PM, J Martin Rushton wrote:
> On 28/12/16 20:11, Robert Moskowitz wrote:
>> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
>>> Robert Moskowitz wrote:
 On 12/28/2016 05:11 AM, Todor Petkov wrote:
> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
> 
> wrote:
>> Which is why I wonder if there is some different config for the
>> C7.3
>> version
>> of apache.
>>
>> Or something with the C7-arm build...
> Can you check for SELinux warnings/errors in
> /var/log/audit/audit.log?
 Good advice.  As I suspect the problem is with SELinux.

 So I tried an access.  What follows is the access_log entry, the
 error_log entry and the 3 entries in the audit.log:

 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
 HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
 rv:50.0)
 Gecko/20100101 Firefox/50.0"

 [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
 (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
 open
 directory for index: /home/rgm/public_html/family/

 type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
 pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
 scontext=system_u:system_r:httpd_t:s0
 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
 permissive=0

 type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
 per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
 items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
 suid=48
 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
 comm="httpd"
 exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

 type=PROCTITLE msg=audit(1482944350.289:339):
 proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


 I will say that after enabling selinux on this image per the
 instructions of the team doing the Centos7-arm builds, I got the
 following messages when I did things like 'setsebool -P
 httpd_enable_homedirs on':

 [ 2273.047017] SELinux:  Class binder not defined in policy.
 [ 2273.052531] SELinux: the above unknown classes and permissions
 will
 be allowed


 So something may well not be right with my SELinux.

>>> Bang. I would suggest, at this point, that you might want to set
>>> selinux
>>> into permissive mode, so you'll get the error messages from it, and
>>> can
>>> work out fixes, but will let your system operate as you intend.
>>> setselinux 0
>>>
>>> Note that this is *temporary*, and will revert on reboot. To make it
>>> permanent, you'd need to edit /etc/selinux/config.
>> Thanks, Mark, I was just getting around to that way of thinking.
>>
>> The command, at least on my Centos7-arm system is
>>
>> setenforce 0
>>
>> A presto it works.  So now to figure out what is wrong with SElinux on
>> this image.
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> Have you got the setroubleshoot-server package installed?  For x86_64 it
> is part of the base repository, obviously arm may differ.  The package
> installs a "SELinux Troubleshooter" entry in the Applications/Sundry
> menu, or it can be launched via:
 No GUI in the base image.  And on arm, we tend to use Xfce.

> # /usr/bin/python -Es /usr/bin/sealert -s
 no sealert bin file, so it is off to install it.

> It generates suggestions to fix SELinx issues.  Sometimes it is quite
> useful, on other occasions it just lists vast numbers of possibilities
> with little or no help.  On balance it is worth trying for when it does
> help.
 I have never had it make useful suggestions to my on my notebook, but we
 will see...

 so here is what happens after I install it:

 # /usr/bin/python -Es /usr/bin/sealert -s
 Opps, sealert hit an error!

 Traceback (most recent call last):
  File "/usr/bin/sealert", line 651, in

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Robert Moskowitz 



On 12/28/2016 06:13 PM, Greg Cornell wrote:

On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" 
 wrote:



On 12/28/2016 06:05 PM, J Martin Rushton wrote:

On 28/12/16 21:24, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 03:32 PM, J Martin Rushton wrote:

On 28/12/16 20:11, Robert Moskowitz wrote:

On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz

wrote:

Which is why I wonder if there is some different config for the
C7.3
version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in
/var/log/audit/audit.log?

Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions
will
be allowed


So something may well not be right with my SELinux.


Bang. I would suggest, at this point, that you might want to set
selinux
into permissive mode, so you'll get the error messages from it, and
can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.

Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on
this image.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:

No GUI in the base image.  And on arm, we tend to use Xfce.


# /usr/bin/python -Es /usr/bin/sealert -s

no sealert bin file, so it is off to install it.


It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.

I have never had it make useful suggestions to my on my notebook, but we
will see...

so here is what happens after I install it:

# /usr/bin/python -Es /usr/bin/sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
 File "/usr/bin/sealert", line 651, in 
   import gtk
ImportError: No module named gtk

If it needs a GUI, then that won't work here.  Headless system.


Nahh... you want to instal setroubleshoot.

 mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Sorry, missed the no GUI if it was mentioned earlier.

Never mentioned it.  I have not checked to see what GUI has been ported
to try and load something.  I *DO* use Xfce with Fedora-arm systems.
But I would have to hook this little server up to such.


You _might_ get away with ssh -Y from a workstation but you might end up 
wasting time.
No guarantees I'm afraid. :-) Martin

Yeah, ssh -Y can be such fun with a headless system.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Sorry, I’m a bit late to this thread so I don’t know if anyone has

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Greg Cornell 
On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" 
 wrote:



On 12/28/2016 06:05 PM, J Martin Rushton wrote:
>
> On 28/12/16 21:24, m.r...@5-cent.us wrote:
>> Robert Moskowitz wrote:
>>>
>>> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
 On 28/12/16 20:11, Robert Moskowitz wrote:
> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
>> Robert Moskowitz wrote:
>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
 On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
 
 wrote:
> Which is why I wonder if there is some different config for the
> C7.3
> version
> of apache.
>
> Or something with the C7-arm build...
 Can you check for SELinux warnings/errors in
 /var/log/audit/audit.log?
>>> Good advice.  As I suspect the problem is with SELinux.
>>>
>>> So I tried an access.  What follows is the access_log entry, the
>>> error_log entry and the 3 entries in the audit.log:
>>>
>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
>>> rv:50.0)
>>> Gecko/20100101 Firefox/50.0"
>>>
>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
>>> open
>>> directory for index: /home/rgm/public_html/family/
>>>
>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>>> permissive=0
>>>
>>> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
>>> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
>>> suid=48
>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>>> comm="httpd"
>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>>>
>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>
>>>
>>> I will say that after enabling selinux on this image per the
>>> instructions of the team doing the Centos7-arm builds, I got the
>>> following messages when I did things like 'setsebool -P
>>> httpd_enable_homedirs on':
>>>
>>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>>> [ 2273.052531] SELinux: the above unknown classes and permissions
>>> will
>>> be allowed
>>>
>>>
>>> So something may well not be right with my SELinux.
>>>
>> Bang. I would suggest, at this point, that you might want to set
>> selinux
>> into permissive mode, so you'll get the error messages from it, and
>> can
>> work out fixes, but will let your system operate as you intend.
>> setselinux 0
>>
>> Note that this is *temporary*, and will revert on reboot. To make it
>> permanent, you'd need to edit /etc/selinux/config.
> Thanks, Mark, I was just getting around to that way of thinking.
>
> The command, at least on my Centos7-arm system is
>
> setenforce 0
>
> A presto it works.  So now to figure out what is wrong with SElinux on
> this image.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
 Have you got the setroubleshoot-server package installed?  For x86_64 it
 is part of the base repository, obviously arm may differ.  The package
 installs a "SELinux Troubleshooter" entry in the Applications/Sundry
 menu, or it can be launched via:
>>> No GUI in the base image.  And on arm, we tend to use Xfce.
>>>
 # /usr/bin/python -Es /usr/bin/sealert -s
>>> no sealert bin file, so it is off to install it.
>>>
 It generates suggestions to fix SELinx issues.  Sometimes it is quite
 useful, on other occasions it just lists vast numbers of possibilities
 with little or no help.  On balance it is worth trying for when it does
 help.
>>> I have never had it make useful suggestions to my on my notebook, but we
>>> will see...
>>>
>>> so here is what happens after I install it:
>>>
>>> # /usr/bin/python -Es /usr/bin/sealert -s
>>> Opps, sealert hit an error!
>>>
>>> Traceback (most recent call last):
>>> File "/usr/bin/sealert", line 651, in 
>>>   import gtk
>>> ImportError: No module named gtk
>>>
>>> If it needs a GUI, then that won't work here.  Headless system.
>>>
>> Nahh... you want to instal setroubleshoot.
>>
>> mark
>>
>> ___
>> CentOS mailing list
>>

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Robert Moskowitz 



On 12/28/2016 06:05 PM, J Martin Rushton wrote:


On 28/12/16 21:24, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:


On 12/28/2016 03:32 PM, J Martin Rushton wrote:

On 28/12/16 20:11, Robert Moskowitz wrote:

On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz

wrote:

Which is why I wonder if there is some different config for the
C7.3
version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in
/var/log/audit/audit.log?

Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions
will
be allowed


So something may well not be right with my SELinux.


Bang. I would suggest, at this point, that you might want to set
selinux
into permissive mode, so you'll get the error messages from it, and
can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.

Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on
this image.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:

No GUI in the base image.  And on arm, we tend to use Xfce.


# /usr/bin/python -Es /usr/bin/sealert -s

no sealert bin file, so it is off to install it.


It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.

I have never had it make useful suggestions to my on my notebook, but we
will see...

so here is what happens after I install it:

# /usr/bin/python -Es /usr/bin/sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
File "/usr/bin/sealert", line 651, in 
  import gtk
ImportError: No module named gtk

If it needs a GUI, then that won't work here.  Headless system.


Nahh... you want to instal setroubleshoot.

mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Sorry, missed the no GUI if it was mentioned earlier.


Never mentioned it.  I have not checked to see what GUI has been ported 
to try and load something.  I *DO* use Xfce with Fedora-arm systems.  
But I would have to hook this little server up to such.



You _might_ get away with ssh -Y from a workstation but you might end up 
wasting time.
No guarantees I'm afraid. :-) Martin


Yeah, ssh -Y can be such fun with a headless system.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Robert Moskowitz 



On 12/28/2016 04:24 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:


On 12/28/2016 03:32 PM, J Martin Rushton wrote:

On 28/12/16 20:11, Robert Moskowitz wrote:

On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz

wrote:

Which is why I wonder if there is some different config for the
C7.3
version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in
/var/log/audit/audit.log?

Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions
will
be allowed


So something may well not be right with my SELinux.


Bang. I would suggest, at this point, that you might want to set
selinux
into permissive mode, so you'll get the error messages from it, and
can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.

Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on
this image.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:

No GUI in the base image.  And on arm, we tend to use Xfce.


# /usr/bin/python -Es /usr/bin/sealert -s

no sealert bin file, so it is off to install it.


It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.

I have never had it make useful suggestions to my on my notebook, but we
will see...

so here is what happens after I install it:

# /usr/bin/python -Es /usr/bin/sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
File "/usr/bin/sealert", line 651, in 
  import gtk
ImportError: No module named gtk

If it needs a GUI, then that won't work here.  Headless system.


Nahh... you want to instal setroubleshoot.


# yum install setroubleshoot
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
No package setroubleshoot available.
Error: Nothing to do


:(


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread J Martin Rushton 


On 28/12/16 21:24, m.r...@5-cent.us wrote:
> Robert Moskowitz wrote:
>>
>>
>> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>>>
>>> On 28/12/16 20:11, Robert Moskowitz wrote:

 On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
> Robert Moskowitz wrote:
>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
>>> 
>>> wrote:
 Which is why I wonder if there is some different config for the
 C7.3
 version
 of apache.

 Or something with the C7-arm build...
>>> Can you check for SELinux warnings/errors in
>>> /var/log/audit/audit.log?
>> Good advice.  As I suspect the problem is with SELinux.
>>
>> So I tried an access.  What follows is the access_log entry, the
>> error_log entry and the 3 entries in the audit.log:
>>
>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
>> rv:50.0)
>> Gecko/20100101 Firefox/50.0"
>>
>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
>> open
>> directory for index: /home/rgm/public_html/family/
>>
>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>> permissive=0
>>
>> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
>> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
>> suid=48
>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>> comm="httpd"
>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>>
>> type=PROCTITLE msg=audit(1482944350.289:339):
>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>
>>
>> I will say that after enabling selinux on this image per the
>> instructions of the team doing the Centos7-arm builds, I got the
>> following messages when I did things like 'setsebool -P
>> httpd_enable_homedirs on':
>>
>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>> [ 2273.052531] SELinux: the above unknown classes and permissions
>> will
>> be allowed
>>
>>
>> So something may well not be right with my SELinux.
>>
> Bang. I would suggest, at this point, that you might want to set
> selinux
> into permissive mode, so you'll get the error messages from it, and
> can
> work out fixes, but will let your system operate as you intend.
> setselinux 0
>
> Note that this is *temporary*, and will revert on reboot. To make it
> permanent, you'd need to edit /etc/selinux/config.
 Thanks, Mark, I was just getting around to that way of thinking.

 The command, at least on my Centos7-arm system is

 setenforce 0

 A presto it works.  So now to figure out what is wrong with SElinux on
 this image.

 ___
 CentOS mailing list
 CentOS@centos.org
 https://lists.centos.org/mailman/listinfo/centos
>>> Have you got the setroubleshoot-server package installed?  For x86_64 it
>>> is part of the base repository, obviously arm may differ.  The package
>>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry
>>> menu, or it can be launched via:
>>
>> No GUI in the base image.  And on arm, we tend to use Xfce.
>>
>>> # /usr/bin/python -Es /usr/bin/sealert -s
>>
>> no sealert bin file, so it is off to install it.
>>
>>> It generates suggestions to fix SELinx issues.  Sometimes it is quite
>>> useful, on other occasions it just lists vast numbers of possibilities
>>> with little or no help.  On balance it is worth trying for when it does
>>> help.
>>
>> I have never had it make useful suggestions to my on my notebook, but we
>> will see...
>>
>> so here is what happens after I install it:
>>
>> # /usr/bin/python -Es /usr/bin/sealert -s
>> Opps, sealert hit an error!
>>
>> Traceback (most recent call last):
>>File "/usr/bin/sealert", line 651, in 
>>  import gtk
>> ImportError: No module named gtk
>>
>> If it needs a GUI, then that won't work here.  Headless system.
>>
> Nahh... you want to instal setroubleshoot.
> 
>mark
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 
Sorry, missed the no GUI if it was mentioned earlier.  You _might_ get
away with ssh -Y from a workstation but you might end up wasting time.
No guarantees I'm afraid. :-) Martin



signature.asc
Description: OpenPGP

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread m . roth 
Robert Moskowitz wrote:
>
>
> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>>
>> On 28/12/16 20:11, Robert Moskowitz wrote:
>>>
>>> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
 Robert Moskowitz wrote:
> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
>> 
>> wrote:
>>> Which is why I wonder if there is some different config for the
>>> C7.3
>>> version
>>> of apache.
>>>
>>> Or something with the C7-arm build...
>> Can you check for SELinux warnings/errors in
>> /var/log/audit/audit.log?
> Good advice.  As I suspect the problem is with SELinux.
>
> So I tried an access.  What follows is the access_log entry, the
> error_log entry and the 3 entries in the audit.log:
>
> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
> rv:50.0)
> Gecko/20100101 Firefox/50.0"
>
> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
> open
> directory for index: /home/rgm/public_html/family/
>
> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
> permissive=0
>
> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
> suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd"
> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>
> type=PROCTITLE msg=audit(1482944350.289:339):
> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>
>
> I will say that after enabling selinux on this image per the
> instructions of the team doing the Centos7-arm builds, I got the
> following messages when I did things like 'setsebool -P
> httpd_enable_homedirs on':
>
> [ 2273.047017] SELinux:  Class binder not defined in policy.
> [ 2273.052531] SELinux: the above unknown classes and permissions
> will
> be allowed
>
>
> So something may well not be right with my SELinux.
>
 Bang. I would suggest, at this point, that you might want to set
 selinux
 into permissive mode, so you'll get the error messages from it, and
 can
 work out fixes, but will let your system operate as you intend.
 setselinux 0

 Note that this is *temporary*, and will revert on reboot. To make it
 permanent, you'd need to edit /etc/selinux/config.
>>> Thanks, Mark, I was just getting around to that way of thinking.
>>>
>>> The command, at least on my Centos7-arm system is
>>>
>>> setenforce 0
>>>
>>> A presto it works.  So now to figure out what is wrong with SElinux on
>>> this image.
>>>
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> Have you got the setroubleshoot-server package installed?  For x86_64 it
>> is part of the base repository, obviously arm may differ.  The package
>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry
>> menu, or it can be launched via:
>
> No GUI in the base image.  And on arm, we tend to use Xfce.
>
>> # /usr/bin/python -Es /usr/bin/sealert -s
>
> no sealert bin file, so it is off to install it.
>
>> It generates suggestions to fix SELinx issues.  Sometimes it is quite
>> useful, on other occasions it just lists vast numbers of possibilities
>> with little or no help.  On balance it is worth trying for when it does
>> help.
>
> I have never had it make useful suggestions to my on my notebook, but we
> will see...
>
> so here is what happens after I install it:
>
> # /usr/bin/python -Es /usr/bin/sealert -s
> Opps, sealert hit an error!
>
> Traceback (most recent call last):
>File "/usr/bin/sealert", line 651, in 
>  import gtk
> ImportError: No module named gtk
>
> If it needs a GUI, then that won't work here.  Headless system.
>
Nahh... you want to instal setroubleshoot.

   mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Robert Moskowitz 



On 12/28/2016 03:32 PM, J Martin Rushton wrote:


On 28/12/16 20:11, Robert Moskowitz wrote:


On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz 
wrote:

Which is why I wonder if there is some different config for the C7.3
version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in /var/log/audit/audit.log?

Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions will
be allowed


So something may well not be right with my SELinux.


Bang. I would suggest, at this point, that you might want to set selinux
into permissive mode, so you'll get the error messages from it, and can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.

Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on
this image.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:


No GUI in the base image.  And on arm, we tend to use Xfce.


# /usr/bin/python -Es /usr/bin/sealert -s


no sealert bin file, so it is off to install it.


It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.


I have never had it make useful suggestions to my on my notebook, but we 
will see...


so here is what happens after I install it:

# /usr/bin/python -Es /usr/bin/sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
  File "/usr/bin/sealert", line 651, in 
import gtk
ImportError: No module named gtk

If it needs a GUI, then that won't work here.  Headless system.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 and systemd: SysV initscript: how detect boot vs. interactive use?

2016-12-28 Thread whitivery 
whitivery  wrote:

>Jonathan Billings 
>wrote:
>
>>On Sun, Dec 18, 2016 at 08:50:54PM -0800, whitivery wrote:
>>> It is a system with several servers (various platforms/distros).
>>> 
>>> One piece of software runs on all of the servers.  For it to operate
>>> correctly, the instance on one server (prime) must start before the others
>>> (auxiliary).
>>> 
>>> So a boot delay is added (via a script sourced from initscript, which
>>> first waits for network to come up) to set the boot delay values for each
>>> server - prime at 0, others at some other value of 15 to 110 seconds
>>> depending on platform.
>>> 
>>> But when it is necessary to manipulate the service interactively via the
>>> "service" command, the boot delay needs to be bypassed.
>>
>>Well, the first thing I'd do is make the service wait for the network
>>to be online.  In the [Unit] section add Wants=network-online.target.
>>
>>Secondly, I'd try to find a way for the auxiliary services to ping the
>>prime service to ensure its up, and make that script a ExecStartPre
>>entry in the [Service] section.  You'll want to adjust the
>>TimeoutStartSec in case it might exceed the DefaultTimeoutStartSec in
>>/etc/systemd/system.conf, which is 90 seconds.
>
>Thank you for the idea, but as mentioned, the same service runs on a mix
>of server platforms and distros, and the older ones do not use systemd, so
>I'd prefer to stick with SysV type initscripts that work on all of them.

Follow-up: with no other solution, I solved the problem externally.

I made an alias (actually, a shell function) for "service".  If the
interactive user is trying to start or restart the affected service, a
flag (sourced environment variable in a file under /etc/default) is set,
the real service binary is called, the initscript sees the flag and skips
the boot delay, then the "service" function restores the flag.

Less than ideal but it works.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread m . roth 
Robert Moskowitz wrote:
> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
>> Robert Moskowitz wrote:

>> Bang. I would suggest, at this point, that you might want to set selinux
>> into permissive mode, so you'll get the error messages from it, and can
>> work out fixes, but will let your system operate as you intend.
>> setselinux 0
>>
>> Note that this is *temporary*, and will revert on reboot. To make it
>> permanent, you'd need to edit /etc/selinux/config.
>
> Thanks, Mark, I was just getting around to that way of thinking.
>
> The command, at least on my Centos7-arm system is
>
> setenforce 0
>
Sorry. Clearly, there's too much blood in my caffeine stream

> A presto it works.  So now to figure out what is wrong with SElinux on
> this image.

Good luck.

   mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread J Martin Rushton 


On 28/12/16 20:11, Robert Moskowitz wrote:
> 
> 
> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
>> Robert Moskowitz wrote:
>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
 On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz 
 wrote:
> Which is why I wonder if there is some different config for the C7.3
> version
> of apache.
>
> Or something with the C7-arm build...
 Can you check for SELinux warnings/errors in /var/log/audit/audit.log?
>>> Good advice.  As I suspect the problem is with SELinux.
>>>
>>> So I tried an access.  What follows is the access_log entry, the
>>> error_log entry and the 3 entries in the audit.log:
>>>
>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0)
>>> Gecko/20100101 Firefox/50.0"
>>>
>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open
>>> directory for index: /home/rgm/public_html/family/
>>>
>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>>> permissive=0
>>>
>>> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
>>> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48
>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>>>
>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>
>>>
>>> I will say that after enabling selinux on this image per the
>>> instructions of the team doing the Centos7-arm builds, I got the
>>> following messages when I did things like 'setsebool -P
>>> httpd_enable_homedirs on':
>>>
>>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>>> [ 2273.052531] SELinux: the above unknown classes and permissions will
>>> be allowed
>>>
>>>
>>> So something may well not be right with my SELinux.
>>>
>> Bang. I would suggest, at this point, that you might want to set selinux
>> into permissive mode, so you'll get the error messages from it, and can
>> work out fixes, but will let your system operate as you intend.
>> setselinux 0
>>
>> Note that this is *temporary*, and will revert on reboot. To make it
>> permanent, you'd need to edit /etc/selinux/config.
> 
> Thanks, Mark, I was just getting around to that way of thinking.
> 
> The command, at least on my Centos7-arm system is
> 
> setenforce 0
> 
> A presto it works.  So now to figure out what is wrong with SElinux on
> this image.
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:

# /usr/bin/python -Es /usr/bin/sealert -s

It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Robert Moskowitz 



On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz 
wrote:

Which is why I wonder if there is some different config for the C7.3
version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in /var/log/audit/audit.log?

Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions will
be allowed


So something may well not be right with my SELinux.


Bang. I would suggest, at this point, that you might want to set selinux
into permissive mode, so you'll get the error messages from it, and can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.


Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on 
this image.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread m . roth 
Robert Moskowitz wrote:
> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz 
>> wrote:
>>> Which is why I wonder if there is some different config for the C7.3
>>> version
>>> of apache.
>>>
>>> Or something with the C7-arm build...
>> Can you check for SELinux warnings/errors in /var/log/audit/audit.log?
>
> Good advice.  As I suspect the problem is with SELinux.
>
> So I tried an access.  What follows is the access_log entry, the
> error_log entry and the 3 entries in the audit.log:
>
> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0)
> Gecko/20100101 Firefox/50.0"
>
> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open
> directory for index: /home/rgm/public_html/family/
>
> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
> permissive=0
>
> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>
> type=PROCTITLE msg=audit(1482944350.289:339):
> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>
>
> I will say that after enabling selinux on this image per the
> instructions of the team doing the Centos7-arm builds, I got the
> following messages when I did things like 'setsebool -P
> httpd_enable_homedirs on':
>
> [ 2273.047017] SELinux:  Class binder not defined in policy.
> [ 2273.052531] SELinux: the above unknown classes and permissions will
> be allowed
>
>
> So something may well not be right with my SELinux.
>
Bang. I would suggest, at this point, that you might want to set selinux
into permissive mode, so you'll get the error messages from it, and can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.

  mark
 mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Robert Moskowitz 



On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz  wrote:

Which is why I wonder if there is some different config for the C7.3 version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in /var/log/audit/audit.log?


Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the 
error_log entry and the 3 entries in the audit.log:


192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ 
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) 
Gecko/20100101 Firefox/50.0"


[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] 
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open 
directory for index: /home/rgm/public_html/family/




type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for 
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir 
permissive=0


type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" 
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)


type=PROCTITLE msg=audit(1482944350.289:339): 
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44



I will say that after enabling selinux on this image per the 
instructions of the team doing the Centos7-arm builds, I got the 
following messages when I did things like 'setsebool -P 
httpd_enable_homedirs on':


[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions will 
be allowed



So something may well not be right with my SELinux.

Bob

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Robert Moskowitz 



On 12/28/2016 09:26 AM, Louis Lagendijk wrote:

On Wed, 2016-12-28 at 08:20 -0500, Robert Moskowitz wrote:

On 12/28/2016 07:35 AM, Louis Lagendijk wrote:

Robert,
On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote:

On 12/28/2016 01:12 AM, Robert Moskowitz wrote:

On 12/27/2016 07:06 PM, John Fawcett wrote:

On 12/28/2016 12:34 AM, Robert Moskowitz wrote:

On 12/27/2016 05:44 PM, John Fawcett wrote:

That error should be caused by having MultiViews options
but
incorrect
permissions (711 instead of 755) on the directory.

I just did chmod -R 755 /home/rgm/public_html and no change
in
behavior.

Even tried chmod -R 755 /home/rgm

Are you actually using MultiViews? If you don't need that
option,
maybe
the easiest thing is to take it out and see if the error
message
changes.

I am using the default conf file for userdir.

/etc/httpd/conf.d/userdir.conf

So I deleted Multiviews and now the error is:

[Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
(13)Permission denied: [client 192.168.160.12:55762] AH01275:
Can't
open directory for index: /home/rgm/public_html/family/




I know this is not going to help, but that error means that
apache
does
not have access to read the directory
/home/rgm/public_html/family/.
That doesn't really fit with the rest of the evidence, that you
have
chmod 755 everything from /home/rgm/public_html downwards and
that
apache can read specific files from /home/rgm/public_html.
John

but is apache allowed access to /home/rgm ?
Try su - apache -s /bin/bash to run a shell as apache and see how
far
you get starting from cd /home and if that works cd /home/rgm and
so
on... That will check normal user permissions, but not selinux

Command apache not known!

All I installed, directly, for the web server was 'yum install
httpd'.



In a single command from root:
su - apache -s /bin/bash
The "su -" is part of the command


I really did not read your instructions well enough.  I got it this time 
and followed it.


I had no problem CDing all the way up the /home tree, doing 'ls' along 
the way.


So normal user permissions work.  I have to check out selinux as Todor 
recommended.


There was/is some sort of selinux issue with this C7-arm image.  I will 
post all of that in a separate message.  Plus some posts on the 
centos-arm list will be needed.


Bob

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Louis Lagendijk 
On Wed, 2016-12-28 at 08:20 -0500, Robert Moskowitz wrote:
> 
> On 12/28/2016 07:35 AM, Louis Lagendijk wrote:
> > Robert,
> > On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote:
> > > On 12/28/2016 01:12 AM, Robert Moskowitz wrote:
> > > > 
> > > > On 12/27/2016 07:06 PM, John Fawcett wrote:
> > > > > On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
> > > > > > On 12/27/2016 05:44 PM, John Fawcett wrote:
> > > > > > > That error should be caused by having MultiViews options
> > > > > > > but
> > > > > > > incorrect
> > > > > > > permissions (711 instead of 755) on the directory.
> > > > > > 
> > > > > > I just did chmod -R 755 /home/rgm/public_html and no change
> > > > > > in
> > > > > > behavior.
> > > > > > 
> > > > > > Even tried chmod -R 755 /home/rgm
> > > > > 
> > > > > Are you actually using MultiViews? If you don't need that
> > > > > option,
> > > > > maybe
> > > > > the easiest thing is to take it out and see if the error
> > > > > message
> > > > > changes.
> > > > 
> > > > I am using the default conf file for userdir.
> > > > 
> > > > /etc/httpd/conf.d/userdir.conf
> > > > 
> > > > So I deleted Multiviews and now the error is:
> > > > 
> > > > [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
> > > > (13)Permission denied: [client 192.168.160.12:55762] AH01275:
> > > > Can't
> > > > open directory for index: /home/rgm/public_html/family/
> > > > 
> > > > 
> > > > 
> > > 
> > > I know this is not going to help, but that error means that
> > > apache
> > > does
> > > not have access to read the directory
> > > /home/rgm/public_html/family/.
> > > That doesn't really fit with the rest of the evidence, that you
> > > have
> > > chmod 755 everything from /home/rgm/public_html downwards and
> > > that
> > > apache can read specific files from /home/rgm/public_html.
> > > John
> > 
> > but is apache allowed access to /home/rgm ?
> > Try su - apache -s /bin/bash to run a shell as apache and see how
> > far
> > you get starting from cd /home and if that works cd /home/rgm and
> > so
> > on... That will check normal user permissions, but not selinux
> 
> Command apache not known!
> 
> All I installed, directly, for the web server was 'yum install
> httpd'.
> 
> 
In a single command from root:
su - apache -s /bin/bash
The "su -" is part of the command
/Louis
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Robert Moskowitz 



On 12/28/2016 07:35 AM, Louis Lagendijk wrote:

Robert,
On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote:

On 12/28/2016 01:12 AM, Robert Moskowitz wrote:


On 12/27/2016 07:06 PM, John Fawcett wrote:

On 12/28/2016 12:34 AM, Robert Moskowitz wrote:

On 12/27/2016 05:44 PM, John Fawcett wrote:

That error should be caused by having MultiViews options but
incorrect
permissions (711 instead of 755) on the directory.

I just did chmod -R 755 /home/rgm/public_html and no change in
behavior.

Even tried chmod -R 755 /home/rgm

Are you actually using MultiViews? If you don't need that option,
maybe
the easiest thing is to take it out and see if the error message
changes.

I am using the default conf file for userdir.

/etc/httpd/conf.d/userdir.conf

So I deleted Multiviews and now the error is:

[Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
(13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
open directory for index: /home/rgm/public_html/family/




I know this is not going to help, but that error means that apache
does
not have access to read the directory /home/rgm/public_html/family/.
That doesn't really fit with the rest of the evidence, that you have
chmod 755 everything from /home/rgm/public_html downwards and that
apache can read specific files from /home/rgm/public_html.
John

but is apache allowed access to /home/rgm ?
Try su - apache -s /bin/bash to run a shell as apache and see how far
you get starting from cd /home and if that works cd /home/rgm and so
on... That will check normal user permissions, but not selinux


Command apache not known!

All I installed, directly, for the web server was 'yum install httpd'.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] GRE based attack?

2016-12-28 Thread Robert Moskowitz 
My new Centso7 server that I am testing out is connected with a public 
address on my dmz.  I am connected to the console port. Overnight the 
following message was logged to the console:


 [44133.679108] conntrack: generic helper won't handle protocol 47. 
Please consider loading the specific helper module.


Protocol 47 is GRE.  So was this 'just' an a ping by an attacker?

No one, but I have any business on this server.  Well other than the 
files I put up for people.


thanks


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Louis Lagendijk 
Robert,
On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote:
> On 12/28/2016 01:12 AM, Robert Moskowitz wrote:
> > 
> > 
> > On 12/27/2016 07:06 PM, John Fawcett wrote:
> > > On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
> > > > 
> > > > On 12/27/2016 05:44 PM, John Fawcett wrote:
> > > > > That error should be caused by having MultiViews options but
> > > > > incorrect
> > > > > permissions (711 instead of 755) on the directory.
> > > > 
> > > > I just did chmod -R 755 /home/rgm/public_html and no change in
> > > > behavior.
> > > > 
> > > > Even tried chmod -R 755 /home/rgm
> > > 
> > > Are you actually using MultiViews? If you don't need that option,
> > > maybe
> > > the easiest thing is to take it out and see if the error message
> > > changes.
> > 
> > I am using the default conf file for userdir.
> > 
> > /etc/httpd/conf.d/userdir.conf
> > 
> > So I deleted Multiviews and now the error is:
> > 
> > [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
> > (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
> > open directory for index: /home/rgm/public_html/family/
> > 
> > 
> > 
> 
> I know this is not going to help, but that error means that apache
> does
> not have access to read the directory /home/rgm/public_html/family/.
> That doesn't really fit with the rest of the evidence, that you have
> chmod 755 everything from /home/rgm/public_html downwards and that
> apache can read specific files from /home/rgm/public_html.
> John
but is apache allowed access to /home/rgm ?
Try su - apache -s /bin/bash to run a shell as apache and see how far
you get starting from cd /home and if that works cd /home/rgm and so
on... That will check normal user permissions, but not selinux
/Louis
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nVidia K1200 on Centos

2016-12-28 Thread Ned Slider 

On 28/12/16 01:07, H wrote:

Can anyone confirm that the above 4-port card is supported at its full 
resolution and capabilities under CentOS 6 and/or 7? The card has four 
DisplayPort 1.2 connectors, each capable of driving a 4K monitor.

Thank you.


According to NVIDIA the card is supported by the latest NVIDIA 
proprietary driver:


ftp://download.nvidia.com/XFree86/Linux-x86_64/375.26/README/supportedchips.html

I believe support was added in the 346.xx series driver, so anything 
newer than that should support your card.


Hope that helps.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread John Fawcett 
On 12/28/2016 04:16 AM, Robert Moskowitz wrote:
>
>
> On 12/27/2016 08:20 PM, John Fawcett wrote:
>> On 12/28/2016 01:43 AM, John Fawcett wrote:
>>> On 12/28/2016 01:12 AM, Robert Moskowitz wrote:
 On 12/27/2016 07:06 PM, John Fawcett wrote:
> On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
>> On 12/27/2016 05:44 PM, John Fawcett wrote:
>>> That error should be caused by having MultiViews options but
>>> incorrect
>>> permissions (711 instead of 755) on the directory.
>> I just did chmod -R 755 /home/rgm/public_html and no change in
>> behavior.
>>
>> Even tried chmod -R 755 /home/rgm
> Are you actually using MultiViews? If you don't need that option,
> maybe
> the easiest thing is to take it out and see if the error message
> changes.
 I am using the default conf file for userdir.

 /etc/httpd/conf.d/userdir.conf

 So I deleted Multiviews and now the error is:

 [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
 (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
 open directory for index: /home/rgm/public_html/family/


 
>>> I know this is not going to help, but that error means that apache does
>>> not have access to read the directory /home/rgm/public_html/family/.
>>> That doesn't really fit with the rest of the evidence, that you have
>>> chmod 755 everything from /home/rgm/public_html downwards and that
>>> apache can read specific files from /home/rgm/public_html.
>>> John
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> Here is a small test program that you can use to check the permissions.
>>
>> You can compile it with:
>>
>> cc -o test test.c
>
> This is on Centos7-arm, so I will have to install all the build stuff,
> and hopefully won't take too long to compile
>
> Tomorrow most likely.
>
>
>
>>
>> then run it with:
>>
>> ./test apache /home/rgm/public_html/family/
>>
>> where apache is the name of the user that your web server runs under
>> (check it with ps -ef | grep http). You should run it as root (or from
>> sudo).
>>
>> John
>>
>> --test.c---
>>
>> #include 
>> #include 
>> #include 
>> #include 
>> #include 
>> #include 
>> #include 
>>
>> int
>> main(int argc, char *argv[])
>> {
>>  struct passwd pwd;
>>  struct passwd *result;
>>  char *buf;
>>  size_t bufsize;
>>  int s;
>>
>> if (argc != 3) {
>>  fprintf(stderr, "Usage: %s username directory\n", argv[0]);
>>  exit(EXIT_FAILURE);
>>  }
>>
>> bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
>>  if (bufsize == -1)  /* Value was indeterminate */
>>  bufsize = 16384;/* Should be more than enough */
>>
>> buf = malloc(bufsize);
>>  if (buf == NULL) {
>>  perror("malloc");
>>  exit(EXIT_FAILURE);
>>  }
>>
>> s = getpwnam_r(argv[1], , buf, bufsize, );
>>  if (result == NULL) {
>>  if (s == 0)
>>  printf("Not found\n");
>>  else {
>>  errno = s;
>>  perror("getpwnam_r");
>>  }
>>  exit(EXIT_FAILURE);
>>  }
>>
>>  printf("Name: %s; UID: %ld GID: %ld\n", pwd.pw_gecos, (long)
>> pwd.pw_uid, (long) pwd.pw_gid);
>>
>>  /* process is running as root, drop privileges */
>>
>>  if (getuid() == 0) {
>>  if (setgid(pwd.pw_gid) != 0) {
>>  perror("setgid: Unable to drop group privileges");
>>  exit(EXIT_FAILURE);
>>  }
>>  if (setuid(pwd.pw_uid) != 0) {
>>  perror("setuid: Unable to drop user privileges");
>>  exit(EXIT_FAILURE);
>>  }
>>  printf("dropped privileges\n");
>>  } else {
>>  errno = ENOTSUP;
>>  perror("process is not running as root cannot change user\n");
>>  exit(EXIT_FAILURE);
>>  }
>>
>>  /* check privileges really dropped */
>>
>>  if (setuid(0) != -1) {
>>  errno = ENOTSUP;
>>  perror("ERROR: Managed to regain root privileges");
>>  exit(EXIT_FAILURE);
>>  }
>>
>>  /* open directory */
>>
>>  DIR * d;
>>  d = opendir(argv[2]);
>>  printf("Attempting to open directory %s\n",argv[2]);
>>  if (d == NULL) {
>>  perror("Error opening directory");
>>  exit(EXIT_FAILURE);
>>  } else {
>>  printf("Success opening directory %s\n",argv[2]);
>>  }
>>  exit(EXIT_SUCCESS);
>> }
>>
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

I'm not sure if it is worth installing a build system just for this
unless you need it for other stuff. Maybe other lines of

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Todor Petkov 
On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz  wrote:
>
> Which is why I wonder if there is some different config for the C7.3 version
> of apache.
>
> Or something with the C7-arm build...

Can you check for SELinux warnings/errors in /var/log/audit/audit.log?

Regards,
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos