User Tools

Site Tools


informatica:linux:selinux

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

informatica:linux:selinux [2015/07/14 11:02]
jose created
informatica:linux:selinux [2015/11/18 13:53] (current)
jose
Line 9: Line 9:
 Resultado: Resultado:
   Permissive   Permissive
 +  ​
 +Si obtenemos un error raro, por ejemplo apache que no arranca con un módulo nuevo, lo podemos ver en  el log messages.\\
 +Al final nos indica el comando a lanzar e instrucciones a seguir:
 +  Nov 18 13:01:48 setroubleshoot:​ SELinux is preventing /​usr/​sbin/​httpd from execute access on the file /​opt/​oracle/​webgate/​access/​oblix/​lib/​libgcc_s.so.1. For complete SELinux messages. run sealert -l b46cdfd9-3c2e-4440-9967-16811bbfe75f
 +  ​
 +Si ejecutamos el sealert:
 +
 +  # sealert -l b46cdfd9-3c2e-4440-9967-16811bbfe75f
 +
 +<​code>​
 +SELinux is preventing /​usr/​sbin/​httpd from execute access on the file /​opt/​oracle/​webgate/​access/​oblix/​lib/​libgcc_s.so.1.
 +
 +*****  Plugin restorecon (94.8 confidence) suggests ​ *************************
 +
 +If you want to fix the label. ​
 +/​opt/​oracle/​webgate/​access/​oblix/​lib/​libgcc_s.so.1 default label should be lib_t.
 +Then you can run restorecon.
 +Do
 +# /​sbin/​restorecon -v /​opt/​oracle/​webgate/​access/​oblix/​lib/​libgcc_s.so.1
 +
 +*****  Plugin catchall_labels (5.21 confidence) suggests ​ ********************
 +
 +If you want to allow httpd to have execute access on the libgcc_s.so.1 file
 +Then you need to change the label on /​opt/​oracle/​webgate/​access/​oblix/​lib/​libgcc_s.so.1
 +Do
 +# semanage fcontext -a -t httpd_modules_t '/​opt/​oracle/​webgate/​access/​oblix/​lib/​libgcc_s.so.1'​
 +where FILE_TYPE is one of the following: httpd_suexec_exec_t,​ application_exec_type,​ mailman_cgi_exec_t,​ dirsrvadmin_unconfined_script_exec_t,​ httpd_unconfined_script_exec_t,​ bin_t, lib_t, httpd_rotatelogs_exec_t,​ ld_so_t, abrt_helper_exec_t,​ httpd_exec_t,​ shell_exec_t,​ textrel_shlib_t,​ antivirus_exec_t,​ httpd_helper_exec_t,​ httpd_php_exec_t,​ chroot_exec_t,​ httpd_modules_t,​ httpd_munin_script_exec_t,​ httpd_w3c_validator_script_exec_t,​ httpd_user_script_exec_t,​ httpd_dspam_script_exec_t,​ httpd_collectd_script_exec_t,​ httpd_apcupsd_cgi_script_exec_t,​ httpd_squid_script_exec_t,​ httpd_awstats_script_exec_t,​ prelink_exec_t,​ preupgrade_exec_t,​ passenger_exec_t,​ httpd_nagios_script_exec_t,​ httpdcontent,​ httpd_prewikka_script_exec_t,​ httpd_bugzilla_script_exec_t,​ httpd_dirsrvadmin_script_exec_t,​ httpd_sys_script_exec_t,​ httpd_openshift_script_exec_t,​ httpd_nutups_cgi_script_exec_t,​ httpd_git_script_exec_t,​ httpd_cvs_script_exec_t,​ httpd_cobbler_script_exec_t,​ httpd_mediawiki_script_exec_t,​ httpd_smokeping_cgi_script_exec_t. ​
 +Then execute: ​
 +restorecon -v '/​opt/​oracle/​webgate/​access/​oblix/​lib/​libgcc_s.so.1'​
 +
 +
 +*****  Plugin catchall (1.44 confidence) suggests ​ ***************************
 +
 +If you believe that httpd should be allowed execute access on the libgcc_s.so.1 file by default.
 +Then you should report this as a bug.
 +You can generate a local policy module to allow this access.
 +Do
 +allow this access for now by executing:
 +# grep httpd /​var/​log/​audit/​audit.log | audit2allow -M mypol
 +# semodule -i mypol.pp
 +</​code>​
 +
 +Para ver el contexto de una biblioteca, que no librería, de apache:
 +  # ls -Z /​etc/​httpd/​modules/​mod_alias.so ​
 +  -rwxr-xr-x. root root system_u:​object_r:​httpd_modules_t:​s0 /​etc/​httpd/​modules/​mod_alias.so
 +
 +Le ponemos el contexto: httpd_modules_t
 +  /​sbin/​restorecon -v '/​opt/​oracle/​webgate/​access/​oblix/​lib/​libgcc_s.so.1'​
 +  semanage fcontext -a -t httpd_modules_t '/​opt/​oracle/​webgate/​access/​oblix/​lib/​libgcc_s.so.1'​
 +
informatica/linux/selinux.txt · Last modified: 2015/11/18 13:53 by jose