1

SELinux denes execute despite correct type context (LVS/IPVS/Piranha/Nanny sendprogram script)

view story
linux-howto

http://serverfault.com – The heartbeat type polling tool nanny (part of Piranha / Linux Virtual Server) is being denied access to my "sendprogram" scripts by SELinux. I think this is purely an SELinux issue not nanny. As I read it context unconfined_u:system_r:piranha_lvs_t:s0 is denied execute to unconfined_u:object_r:piranha_lvs_t:s0. So what am I doing wrong? Disabling SELinux (setenforce 0) works and the contexts are set as follows: Context # ll -Z /opt/ drwxr-xr-x. root root unconfined_u:object_r:piranha_lvs_t:s0 monitorscripts # ll -Z /opt/monitorscripts -rwxr-xr-x. root root unconfined_u:object_r:piranha (HowTos)

u85500's picture
Submitted by u85500 on 09/19/2012

Stories similar to SELinux denes execute despite correct type context (LVS/IPVS/Piranha/Nanny sendprogram script)

[yum@centos6dev ~]$ ls -laZ /home/yumdrwx------. yum yum unconfined_u:object_r:user_home_dir_t:s0 .drwxr-xr-x. root root system_u:object_r:home_roo... [by nikkilocke]

I have a CGI script called index.cgi

It is trying to read a log file called 10.128.0.242.2012.sep.20.downloaded.txt under the path /var/log/trafcount/

It appears that it is being blocked by selinux.

The audit log shows something like

type=AVC msg=audit(1348158321.873:1472116): avc: denied { read } for pid=11620 comm="index.cgi" name="10.128.0.242.2012.sep.20.downloaded.txt" dev=dm-0 ino=395264

So I've set up selinux to log all file access operations in a certain directory.

I currently have SELinux enabled and have been able to configure apache to allow access to /home/src/web with a chcon command granting the 'httpd_sys_content_t' type. But now I am trying to serve the rsyslogd.conf file from the same directory, but every time I start rsyslogd I see an entry in my audit log saying that rsyslogd was denied access.

Does anyone know which sebool it is to allow httpd write access to /home/user/html? When I disable selinux echo 0 > /selinux/enforce I can write, so definitely selinux. Just don't know which one is the right one without opening a big hole and Google isn't being much help.

#[/home]ls -Z drwxr-x---.

Before running restorecon -r /tftpboot I get the following SELinux Context:[root@CentOS02 ~]# ls -laZ /tftpboot drwxr-xr-x. root root unconfined_u:ob... [by draconisle]

piranha not working 2 years 29 weeks ago

Hi,

I have installed piranha on centos5.5 64 bit. I have disabled iptables. Now i see nanny is crashing or busy waiting on something. I did a strace -p <pid> and found this. And found that nanny is consuming cpu 100% on us. Here is the nanny process i found in my system.

root 9778 9770 49 Nov01 ?

apache mod_security logs F12 3 years 28 weeks ago

A new rpm for mode_security F12 simplified the rules to get it started. In the conf files the logs directive say to specify the path to the dir and make sure it exits. As this dir list shows ther are several. The suggested top dir is /var/log/msa

# cd /var/log/msa [root@Jovette-14 msa]# ls -laZ

I'm trying to run evince in the SELinux sandbox:

sandbox -X /usr/bin/evince Unixforpoets.pdf

but after waiting for minutes nothing happens, console doesn't outputs anything.