[rt-users] Fwd: SELinux RT/syslog problem

Tom Smith aliase573201 at mac.com
Mon Nov 10 12:28:04 EST 2008 

Sorry, resending this to the list... Sent it from the wrong email  
address so the original didn't post to the list.

Begin forwarded message:

> From: Thomas Smith <>
> Date: November 10, 2008 9:59:35 AM MST
> To: Jerrad Pierce <jpierce at cambridgeenergyalliance.org>
> Cc: rt Users <rt-users at lists.bestpractical.com>
> Subject: Re: [rt-users] SELinux RT/syslog problem
>
> Hi Jerrad,
>
> Not all programs are SELinux-aware and so can muck things up a bit  
> sometimes. When this happens, the best thing to do is to relabel  
> the filesystem. To do this, execute the following commands:
>
> 	touch /.autorelabel
> 	reboot
>
> Keep in mind that the reboot may take a while.
>
> If you want to see which files have an incorrect label (according  
> to the SELinux' policy), you can run this command:
>
> 	restorecon -n -R -v /
>
> The switches have the following meanings:
>
> 	-n - Don't change any file labels. Allows you to see what will be  
> changed before committing to it (if you use the -v switch)--remove  
> the switch to relabel the affected files.
> 	-R - Recursive.
> 	-v - Tells "restorecon" to show which files/directories would be  
> changed and to what context. If you leave this switch out,  
> restorecon will exit silently.
>
> It's usually wise to relabel the filesystem when installing any  
> software that didn't come with your distribution. This will prevent  
> problems like these from going unnoticed for too long.
>
> ~ Tom
>
> On Nov 10, 2008, at 8:28 AM, Jerrad Pierce wrote:
>
>> Is anyone running RT on a box with SELinux (ES4 in my case)?
>> Everything's been going peachy until for some reason yesterday
>> things got mucked up on /dev/log and now apache/RT cannot log
>> to syslog, which means several functions like merging are currently
>> inaccessible. Anybody happen to know what the proper context is
>> for that file? It's currently: system_u:object_r:devlog_t and the
>> errors I'm getting are:
>>
>> #Pre- restorecon
>> Nov 9 19:30:25 rt kernel: audit(1226277025.460:207): avc: denied {
>> write } for pid=6378 comm="httpd.worker" name="log" dev=tmpfs
>> ino=32795 scontext=user_u:system_r:httpd_t
>> tcontext=root:object_r:device_t tclass=sock_file
>>
>> #Post- restorecon
>> Nov 9 20:23:25 rt kernel: audit(1226280205.215:999): avc: denied {
>> sendto } for pid=6873 comm="httpd.worker" name="log"
>> scontext=user_u:system_r:httpd_t tcontext=root:system_r:unconfined_t
>> tclass=unix_dgram_socket
>>
>> I've found a few pages online with hints on how I might be able to  
>> fix
>> this, but none use chcon and instead require modifying system  
>> policies
>> to add:
>>
>> allow httpd_t device_t:sock_file write;
>> allow httpd_t unconfined_t:unix_dgram_socket sendto;
>>
>> Which I cannot do as the necessary tools are not installed
>> (and the package manager is currently out of commission).
>> -- 
>> Cambridge Energy Alliance: Save money. Save the planet.
>> _______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>> Buy a copy at http://rtbook.bestpractical.com
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20081110/824eaf8c/attachment.htm>

More information about the rt-users mailing list