Differences

This shows you the differences between two versions of the page.

--- informatica:linux:selinux [2015/07/14 09:02] – created jose
+++ informatica:linux:selinux [2015/11/18 12:53] (current) – jose
@@ Line 9: / Line 9: @@
 Resultado:
   Permissive
+Si obtenemos un error raro, por ejemplo apache que no arranca con un módulo nuevo, lo podemos ver en  el log messages.\\
+Al final nos indica el comando a lanzar e instrucciones a seguir:
+  Nov 18 13:01:48 setroubleshoot: SELinux is preventing /usr/sbin/httpd from execute access on the file /opt/oracle/webgate/access/oblix/lib/libgcc_s.so.1. For complete SELinux messages. run sealert -l b46cdfd9-3c2e-4440-9967-16811bbfe75f
+Si ejecutamos el sealert:
+  # sealert -l b46cdfd9-3c2e-4440-9967-16811bbfe75f
+<code>
+SELinux is preventing /usr/sbin/httpd from execute access on the file /opt/oracle/webgate/access/oblix/lib/libgcc_s.so.1.
+*****  Plugin restorecon (94.8 confidence) suggests  *************************
+If you want to fix the label.
+/opt/oracle/webgate/access/oblix/lib/libgcc_s.so.1 default label should be lib_t.
+Then you can run restorecon.
+Do
+# /sbin/restorecon -v /opt/oracle/webgate/access/oblix/lib/libgcc_s.so.1
+*****  Plugin catchall_labels (5.21 confidence) suggests  ********************
+If you want to allow httpd to have execute access on the libgcc_s.so.1 file
+Then you need to change the label on /opt/oracle/webgate/access/oblix/lib/libgcc_s.so.1
+Do
+# semanage fcontext -a -t httpd_modules_t '/opt/oracle/webgate/access/oblix/lib/libgcc_s.so.1'
+where FILE_TYPE is one of the following: httpd_suexec_exec_t, application_exec_type, mailman_cgi_exec_t, dirsrvadmin_unconfined_script_exec_t, httpd_unconfined_script_exec_t, bin_t, lib_t, httpd_rotatelogs_exec_t, ld_so_t, abrt_helper_exec_t, httpd_exec_t, shell_exec_t, textrel_shlib_t, antivirus_exec_t, httpd_helper_exec_t, httpd_php_exec_t, chroot_exec_t, httpd_modules_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_user_script_exec_t, httpd_dspam_script_exec_t, httpd_collectd_script_exec_t, httpd_apcupsd_cgi_script_exec_t, httpd_squid_script_exec_t, httpd_awstats_script_exec_t, prelink_exec_t, preupgrade_exec_t, passenger_exec_t, httpd_nagios_script_exec_t, httpdcontent, httpd_prewikka_script_exec_t, httpd_bugzilla_script_exec_t, httpd_dirsrvadmin_script_exec_t, httpd_sys_script_exec_t, httpd_openshift_script_exec_t, httpd_nutups_cgi_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t, httpd_cobbler_script_exec_t, httpd_mediawiki_script_exec_t, httpd_smokeping_cgi_script_exec_t.
+Then execute:
+restorecon -v '/opt/oracle/webgate/access/oblix/lib/libgcc_s.so.1'
+*****  Plugin catchall (1.44 confidence) suggests  ***************************
+If you believe that httpd should be allowed execute access on the libgcc_s.so.1 file by default.
+Then you should report this as a bug.
+You can generate a local policy module to allow this access.
+Do
+allow this access for now by executing:
+# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
+# semodule -i mypol.pp
+</code>
+Para ver el contexto de una biblioteca, que no librería, de apache:
+  # ls -Z /etc/httpd/modules/mod_alias.so
+  -rwxr-xr-x. root root system_u:object_r:httpd_modules_t:s0 /etc/httpd/modules/mod_alias.so
+Le ponemos el contexto: httpd_modules_t
+  /sbin/restorecon -v '/opt/oracle/webgate/access/oblix/lib/libgcc_s.so.1'
+  semanage fcontext -a -t httpd_modules_t '/opt/oracle/webgate/access/oblix/lib/libgcc_s.so.1'