| 00:53.18 | *** join/#fredlug jsmith (n=jsmith@000-222-051.area3.spcsdns.net) |
| 01:33.19 | *** join/#fredlug jsmith (n=jsmith@000-251-381.area3.spcsdns.net) |
| 02:21.15 | plarsen | stickster: ok, I'm still not getting a hang of this SELinux stuff :( I'm unable to use NFS on a host, and when I look at the NFS host's dmesg, I get a lot of SELinux denied |
| 02:21.33 | plarsen | stickster: for portmap, trying to access hosts.deny |
| 02:21.47 | plarsen | stickster: I'm confused to what the heck it's missing?? |
| 02:22.18 | plarsen | "scontext=user_u:system_r:portmap_t tcontext=user_u_object_r:etc_runtime_t tclass=file |
| 02:22.44 | plarsen | I'm aware that portmap cannot access /etc/hosts.deny ... but WHY? |
| 02:33.24 | plarsen | Never mind ... did a restorecon on it.... solve the problem |
| 02:40.23 | plarsen | s/solve/solved/ |
| 05:01.09 | *** join/#fredlug jsmith_ (n=jsmith@000-145-227.area3.spcsdns.net) |
| 06:38.18 | *** join/#fredlug jsmith (n=jsmith@h46058be6.area7.spcsdns.net) |
| 08:38.20 | *** join/#fredlug jsmith (n=jsmith@h46052958.area3.spcsdns.net) |
| 10:06.02 | *** join/#fredlug jsmith (n=jsmith@000-176-699.area3.spcsdns.net) |
| 10:50.22 | *** join/#fredlug jsmith (n=jsmith@70.5.213.6) |
| 12:24.13 | *** join/#fredlug jsmith (n=jsmith@h4605b89e.area7.spcsdns.net) |
| 15:03.49 | stickster | plarsen_away: If you've been running a "disabled" SELinux mode, you should probably think about doing a complete file system relabel, which you can do by touching /.autorelabel and then rebooting |
| 15:04.41 | jsmith | stickster! |
| 15:04.46 | jsmith | Welcome back to the right coast! |
| 15:04.48 | stickster | Hi jsmith |
| 15:05.24 | stickster | Yeah, nice to be back, except I have an awful spasm in my upper back/neck |
| 16:37.04 | *** join/#fredlug plarsen (n=plarsen@w158.z06400088.was-dc.dsl.cnc.net) |
| 16:38.10 | plarsen | howdy sirs |
| 17:06.05 | jsmith | plarsen! |
| 17:06.18 | jsmith | Did you get your local Fedora repo set up? |
| 18:18.58 | plarsen | hey jared ... |
| 18:19.36 | plarsen | well, no - I poofed my VM trying to make more space for it ... I "ignored" the "remove all snapshots first" requirement and ended up with a host that couldn't do anything:( |
| 18:19.54 | jsmith | Ouch. |
| 18:19.56 | plarsen | Now I'm doing what I thought was a snap, which is setting up the HTTP for Fedora/CentOS install ... |
| 18:20.05 | plarsen | GRR - I'm getting ot REALLY hate SELInux :( |
| 18:20.09 | plarsen | We're NOT friends! |
| 18:21.10 | plarsen | tells me that root:system_r:httpd_t is required for files for the Apache server. Great! But when I enter "chcon -t system_r:httpd_t ." I'm told that no such context exist :( |
| 18:51.43 | stickster | plarsen_away: chcon -t httpd_t |
| 18:52.13 | stickster | There are three main dimensions, the user, the role, and the type |
| 18:52.18 | stickster | system_r is a role |
| 18:52.43 | stickster | (There's also a range, used only a few places) |
| 18:52.59 | stickster | jsmith: heh |
| 18:53.10 | jsmith | Actually, I'm just lazy |
| 18:53.19 | stickster | If you put files in an expected area, e.g. under /var/www, they'll get labeled appropriately |
| 18:53.22 | jsmith | I know all the theory about why SELinux is cool. |
| 18:53.32 | jsmith | I just haven't taken the time to actually *learn* it |
| 18:53.37 | stickster | Otherwise you have to either label them or just use a boolean to allow httpd to parse other public areas |
| 18:53.45 | plarsen | stickster: well, not enough room on /var |
| 18:53.53 | plarsen | So hence they're on their own mount point |
| 18:54.28 | stickster | plarsen: Aha, just mount with the option context=system_u:object_r:httpd_sys_content_t |
| 18:54.39 | plarsen | So far, the only thing I can get to work is "setenforce 0" :( |
| 18:55.07 | plarsen | the mount point is used for more than httpd ... it's a sub directory of the mount point. So is that a good idea? |
| 18:55.44 | stickster | OK, just relabel the sub that serves up HTTP files then |
| 18:55.59 | plarsen | That's what I've tried to do ... |
| 18:56.05 | plarsen | I've done the httpd_sys_content_t ... |
| 18:56.10 | plarsen | But still - "no access" :( |
| 18:56.44 | plarsen | ls -Z gives: root:object_r:httpd_sys_content_t for all |
| 18:57.18 | stickster | What's the AVC message? |
| 18:57.37 | plarsen | can't paste from there ... so here's typing :) |
| 18:57.41 | stickster | I usually use system_u instead of root |
| 18:58.32 | plarsen | avc: denied { getattr } for pid=23682 comm="httpd" name="software" dev=dm-6 ino+72324234 scontext=root:system_r:httpd_t tontext=root:objecT_r:file_t tclass=dir |
| 18:59.13 | stickster | What's the full path for that file? |
| 18:59.47 | plarsen | <PROTECTED> |
| 19:00.06 | plarsen | <PROTECTED> |
| 19:00.14 | plarsen | Software library basically |
| 19:00.24 | stickster | What reads that other than httpd? |
| 19:01.05 | plarsen | <PROTECTED> |
| 19:03.04 | plarsen | CentOS is dual access from NFS |
| 19:04.07 | stickster | My box has a boolean to allow httpd to access NFS file systems |
| 19:04.16 | stickster | Oh wait, that's remote fs. |
| 19:04.17 | stickster | never mind |
| 19:05.36 | stickster | If you label all of /backup as httpd_sys_content_t, what happens with NFS? |
| 19:06.46 | plarsen | ehhh - don't know yet ... hang on. |
| 19:08.15 | plarsen | chcon: can't apply partial context to unlabled file /backup |
| 19:09.22 | plarsen | and when I try on /backup/software I get a lot of "failed to change context of ..... to root:httpd_sys_content_t:file_t: Invalid argument |
| 19:09.25 | plarsen | Why it's using file_t I don't know. |
| 19:12.13 | stickster | plarsen: Try: "chcon -R root:object_r:httpd_sys_content_t /backup" |
| 19:12.40 | stickster | plarsen: Or -- hang on-- |
| 19:13.24 | stickster | If httpd only needs to read /backup/software, do "fixfiles -F relabel /backup" |
| 19:13.39 | stickster | then do "chcon -R root:object_r:httpd_sys_content_t /backup/software" |
| 19:13.54 | stickster | A lot of this depends on what you've got in /backup. I don't know, but you do. |
| 19:20.34 | plarsen | nice "fixfiles" - gotta remember that one ;) |
| 19:20.41 | plarsen | Ok, the chcon now ran without issues. |
| 19:20.45 | plarsen | Just files ... loots of files ;) |
| 19:20.52 | plarsen | rpms, tars, jars |
| 19:24.46 | plarsen | I'm doing a remote install right now; so I'm not going to try to enable SE until that's done. |
| 19:24.57 | plarsen | Once complete, I'll let you know if this made any different to httpd |
| 19:47.53 | plarsen | nope - still same issue :( |
| 19:47.55 | plarsen | no access |
| 21:12.04 | *** join/#fredlug jsmith_ (n=jsmith@000-262-659.area3.spcsdns.net) |
| 21:46.00 | *** join/#fredlug jsmith (n=jsmith@000-262-659.area3.spcsdns.net) |
| 22:04.00 | stickster_afk | plarsen: What's the context for the /backup directory itself? And each component of the path down to the target file? |
| 22:04.38 | stickster | You'll want to try 'chcon root:object_r:httpd_sys_content_t /backup' and see the effects |
| 22:08.19 | plarsen | . /backup is system_u_object_r:default_t |
| 22:08.55 | plarsen | stickster_afk: I did the chcon for /backup/software which is where Apache goes .... |
| 22:58.33 | plarsen | time to go home .... |