One lingering issue is that the Monitoring functionality is not entirely happy with SELinux. I suspect it has something to do with the contexts that the processes are running in.
>From my server: $ ps -aefZ | grep nocpul unconfined_u:system_r:initrc_t:s0 root 19497 1 0 14:03 pts/0 00:00:00 /usr/bin/perl /usr/bin/gogo.pl --fname=NotifEscalator --user=nocpulse --hbfile=/var/log/nocpulse/notif-escalator.log --hbfreq=300 --hbcheck=600 -- /usr/bin/notif-escalator unconfined_u:system_r:initrc_t:s0 nocpulse 19498 19497 0 14:03 pts/0 00:00:00 /usr/bin/perl /usr/bin/gogo.pl --fname=NotifEscalator --user=nocpulse --hbfile=/var/log/nocpulse/notif-escalator.log --hbfreq=300 --hbcheck=600 -- /usr/bin/notif-escalator unconfined_u:system_r:initrc_t:s0 nocpulse 19499 19498 0 14:03 pts/0 00:00:00 /usr/bin/perl /usr/bin/notif-escalator >From the documentation at https://fedorahosted.org/spacewalk/wiki/Features/SELinux (under "Monitoring" heading): root:system_r:spacewalk_monitoring_t root 1861 0.0 0.1 14596 1500 pts/2 S 12:06 0:00 /usr/bin/perl /usr/bin/gogo.pl --fname=GenerateNotifConfig --us root:system_r:spacewalk_monitoring_t nocpulse 1862 0.0 0.2 14596 2460 pts/2 S 12:06 0:00 /usr/bin/perl /usr/bin/gogo.pl --fname=GenerateNotifConfig --us root:system_r:spacewalk_monitoring_t nocpulse 1863 0.0 2.1 107412 20240 pts/2 S 12:06 0:00 /usr/bin/perl /usr/bin/generate-config I'm guessing that my various monitoring processes should be running with "root:system_r:spacewalk_monitoring_t" instead of "unconfined_u:system_r:initrc_t:s0". How do I resolve that? (I already have the "spacewalk-monitoring-selinux" RPM installed!) Thanks in advance! Andy On 1/23/14 1:00 PM, "Andy Ingham" <[email protected]> wrote: I've revisited my non-standard /var/satellite setup and have learned a lot more about SELinux to boot. I have a few remaining errors to double-check, but believe I'm at the point where SELinux will work properly with my spacewalk. Thanks, everyone! Andy On 1/16/14 4:29 AM, "Michael Mraka" <[email protected]> wrote: Andy Ingham wrote: % Thanks, Michael and Jan, for your responses. % % I currently have SELinux in 'permissive' mode and have been reviewing the % 'sealert -a audit.log' output periodically. % % Thanks to your confirmation, I'm fairly certain now that the issues I'm % seeing are related to a non-standard setup I've got with the % /var/satellite filesystem. If your data subtree is /somewhere/else instead of standard /var/satellite use semanage fcontext -a -e /var/satellite /somewhere/else to fix it (see man semanage). % May be one more reason for me to revisit my current (non-standard) setup. % % Andy Regards, -- Michael Mráka Satellite Engineering, Red Hat _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
