Bureaucrats, confirmed, Administrators
4,558
edits
Changes
Jump to navigation
Jump to search
Created page with "I know enough about SELinux to be "labelled" a newbie (and make bad puns). I've had a bit more experience dealing with [IPTables]]. With the disclaimers out of the way, ..."
I know enough about [[SELinux]] to be "labelled" a newbie (and make bad puns). I've had a bit more experience dealing with [IPTables]].
With the disclaimers out of the way, I just had to fix an SELinux problem on [[RHEL]] 6 yesterday so I can share with you what I did. I had just setup a code review system called ReviewBoard, however I could not configure ReviewBoard with any repositories - even though I could query those repositories from the command line. I suspected SELinux was blocking my application from communicating with the Interwebs.
Since mine was a "workstation" variety of RHEL6, I installed the [https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20Overview SETroubleShoot] application, so that I could avail myself of the <code>sealert</code> program. However, I was connected via SSH session and was unable to get X-forwarding to work. Without ready access to the graphical user interface of SETroubleshoot, I just examined the log files (<code>/var/log/audit/audit.log</code> for the most part, but I also took a look at <code>/var/log/messages</code>) for the signs that SELinux was blocking my application.
Indeed it was.
I saw messages like this (blocking the system's use of memcached):
<pre>type=AVC msg=audit(1396381963.998:5457): avc: denied { name_connect } for pid=11141 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket</pre>
I found out that I could use a tool called <code>audit2allow</code><ref>[http://fedoraproject.org/wiki/SELinux/audit2allow online man page]</ref> to turn those error messages into policies which could be loaded into SELinux.
<source lang="bash">
yum install setroubleshoot
# monitor the log files for DENIED
tail -f /var/log/audit/audit.log /var/log/messages
# Ctrl + C to cancel monitoring those files
# use the audit2allow tool to turn messages into a policy module
cat /var/log/audit/audit.log | audit2allow -M local
# install that policy module
semodule -i local.pp
</source>
== Turn off SELinux ==
Alternatively, you can just turn off SELinux and reboot the machine.
<source lang="bash">
echo 0 > /selinux/enforce
</source>
{{References}}
[[Category:System Administration]]
[[Category:Security]]
With the disclaimers out of the way, I just had to fix an SELinux problem on [[RHEL]] 6 yesterday so I can share with you what I did. I had just setup a code review system called ReviewBoard, however I could not configure ReviewBoard with any repositories - even though I could query those repositories from the command line. I suspected SELinux was blocking my application from communicating with the Interwebs.
Since mine was a "workstation" variety of RHEL6, I installed the [https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20Overview SETroubleShoot] application, so that I could avail myself of the <code>sealert</code> program. However, I was connected via SSH session and was unable to get X-forwarding to work. Without ready access to the graphical user interface of SETroubleshoot, I just examined the log files (<code>/var/log/audit/audit.log</code> for the most part, but I also took a look at <code>/var/log/messages</code>) for the signs that SELinux was blocking my application.
Indeed it was.
I saw messages like this (blocking the system's use of memcached):
<pre>type=AVC msg=audit(1396381963.998:5457): avc: denied { name_connect } for pid=11141 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket</pre>
I found out that I could use a tool called <code>audit2allow</code><ref>[http://fedoraproject.org/wiki/SELinux/audit2allow online man page]</ref> to turn those error messages into policies which could be loaded into SELinux.
<source lang="bash">
yum install setroubleshoot
# monitor the log files for DENIED
tail -f /var/log/audit/audit.log /var/log/messages
# Ctrl + C to cancel monitoring those files
# use the audit2allow tool to turn messages into a policy module
cat /var/log/audit/audit.log | audit2allow -M local
# install that policy module
semodule -i local.pp
</source>
== Turn off SELinux ==
Alternatively, you can just turn off SELinux and reboot the machine.
<source lang="bash">
echo 0 > /selinux/enforce
</source>
{{References}}
[[Category:System Administration]]
[[Category:Security]]
