RedHat/CentOS: a quick introduction to SeLinux policy (a short howto) 

UNIX access control mechanism is build around file permissions. The
access permissions define which subject can iteract with the file and
how. Due to the simple design this concept provides only the very basic

# ls -l
total 84
-rw------- 1 root root 1085 Mar 6 23:42 anaconda-ks.cfg
-rw-r--r-- 1 root root 17150 Mar 6 23:42 install.log
-rw-r--r-- 1 root root 2566 Mar 6 23:42 install.log.syslog

The main purpose of SeLinux is to avoid users or services to go beyond
their pre-defined scope of actions. SeLinux defines another level of
access control mechanism and implements a new layer of independent
system policy.

SeLinux extension allows you to restrict access actions at MUCH HIGHER
GRANULARITY than the common UNIX permissons - it goes far beyond the
simple UNIX file access control.

System defaults, the policy basics

The POLICY definition is a set of rules which specify how "secure" the
system will be, better - which actions will be allowed in the system as
the policy rule defines only what is allowed. All the actions not
allowed within the policy rules are disabled. It is the same concept as
with building firewall - all traffic is disabled and only specific data
flows are allowed.

There are some RedHat pre-defined (bundled) policies and they can be in
various "states". To determine the current SeLinux setup:

# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

I would use the configuration file to explain what the options "enabled
enforcing targeted" mean. Main SeLinux configuration file is
/etc/selinux/config. In this file we define which policy will be loaded
on system boot.

If you set this file wrong, make a typo, the system will not boot and
panic. If it happens you can edit the Grub commandline and add the
"selinux=0" statement. All the options in the config are ignored then.
Here is the config file itself:

# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.

The SELINUXTYPE is an actual set of allow rules - simply, it is the name
of compiled policy which inherits allow rules. After the system boots
you can't change the SELINUXTYPE, but you are only allowed to modify how
the kernel will follow the policy instructions.

If the kernel is in enforcing mode, then the loaded policy is in use
without exceptions. If the SeLinux is in permissive mode, the kernel
will allow all the actions and will print warning AVC messages only
(good for debugging) instead of dropping the action. You can choose
which SELINUXTYPE policy you will load at system boot. To check policies
you have available on your system type:

# rpm -qa | grep selinux-policy

Or you can check the policies (compiled rule files) by simple listing
content of /etc/selinux directory.

# ls -la
total 56
drwxr-xr-x 4 root root 4096 Mar 27 03:00 .
drwxr-xr-x 77 root root 4096 Mar 27 02:59 ..
-rw-r--r-- 1 root root 512 Mar 27 02:58 config
-rw------- 1 root root 195 May 24 2008 restorecond.conf
-rw-r--r-- 1 root root 1752 Mar 14 2007 semanage.conf
drwxr-xr-x 5 root root 4096 Mar 27 02:58 targeted

As you can see I have only the targeted policy rules installed by now.
The targeted policy is focused on specific system components/services
and all the other content is allowed to run by default - as is labeled
with unconfirmed type. It means that if you do use this policy then the
majority of the software will run and you will still keep the SeLinux
protection for well-known services shipped with distro as samba, http,
postfix, ftp... If you plan to use services which are not bundled by
RedHat then you have to use targeted policy rules or write your own
modules for them.

I will install the strict policy as well. As the strict policy is really
hard-restrictive it is more alike the original NSA SeLinux concept. You
can have problems if your non-selinux-labeled application decides try to
bind some of the tcp sockets for example because unlabeled context is
considered unknow, dangerous and therefore can't interact with the
system. There is now allow rule for unlabeled content. Usually, the
system with strict policy is not able to boot at all (until RedHat 5).
As you need to allow your application to work on the system you have to
prepare special security module for the application.

# yum list | grep selinux-policy | grep -v devel
selinux-policy.noarch 2.4.6-137.el5
selinux-policy-targeted.noarch 2.4.6-137.el5
selinux-policy-mls.noarch 2.4.6-137.1.el5 updates
selinux-policy-strict.noarch 2.4.6-137.1.el5 updates

# yum install selinux-policy-strict

Some basic tweaking on predefined policy

RedHat shipped policies includes so called "booleans" or let's say
"constraints" defined. Using those booleans you can partially change the
SeLinux behavior without creating a whole new policy or policy module.
To list all the booleans related to the apache:

# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> off
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on

The apache config could be configured to allow executing cgi for
example, but the current SeLinux policy is set the way it disallow such
interaction of the Apache daemon. To enable the interaction between the
daemon and the cgis I have to set the trigger:

# setsebool -P httpd_enable_cgi on

Some of the booleans mentioned above can control "SeLinux command
behavior" itself. By default it is possible for root to change how the
system will INTERPRET policy - you can switch from enforcing to
permissive mode forth and back as you wish on the fly using setenforce

# setenforce 0

Even in restricted or targetted policy the root is still the master over
the Linux system, the SeLinux idea is not to limit the root but to allow
the service security will be tuned specifically. Of course, you can
write your own policy which will deny the root to write to /etc
directory if you like.

But even in shipped policy you can limit root user actions a bit. For
example - you can disable the setenforce command.

# getsebool -a | grep secure_mode_policyload
secure_mode_policyload --> off

# setsebool -P secure_mode_policyload on

# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

# setenforce 0
setenforce: setenforce() failed

What the policy module is

The policy module is a set of compiled rules which expands the main
policy configuration. The modular policy is used on the RedHat5.0(?) and
later. Each module is specific to application as you can see:

# semodule -l
amavis 1.1.0
ccs 1.0.0
clamav 1.1.0
dcc 1.1.0
evolution 1.1.0
iscsid 1.0.0
mozilla 1.1.0
mplayer 1.1.0
nagios 1.1.0
oddjob 1.0.1
pcscd 1.0.0
pyzor 1.1.0
razor 1.1.0
ricci 1.0.0
smartmon 1.1.0

Modules are permanently allowed or denied to load while system boot
using semodule -r (remove) and semodule -i (install) command. The
modular policy of RedHat5.2/CentOS5.2 and above also allows you to load
the necessary policy definitions module on the fly. It is good to know
that such behaviour could be enabled or disabled via boolean named
secure_mode_insmod (in || off).

Into the deep, the filesystem

And now some technical talk. Where to start to look for SeLinux. Lets
begin with the filesystem extended attribute information. We can call it
the LABEL and sits on the filesystem if the FS supports it (ext3 does).
The SeLinux labels are saved as metadata. Let's check them out.

# getfattr -n security.selinux /root/anaconda-ks.cfg
getfattr: Removing leading '/' from absolute path names
# file: root/anaconda-ks.cfg

Get the attributes with 'ls -Z':

# ls -Z
-rw------- root root system_u:object_r:user_home_t anaconda-ks.cfg
-rw-r--r-- root root root:object_r:user_home_t install.log
-rw-r--r-- root root root:object_r:user_home_t

You can see the selinux content on the processes as well with 'ps -efZ'.
The magic is the 'Z' option. On the example we can see
"root:object_r:user_home_t". This gibrish is called access control
vector . The vector is the most and only important data for the access
control mechanism.

The architecture

- The SeLinux consists of SeLinux supporting filesystem, the Access
Vector Cache and the Security Server.

- Each filesystem object has it's own vector.

- If some operation should be performed the SeLinux search the allow
rules if the vector of object is allowed to interact with the subject's
vector .

- If SeLinux finds at least one allow rule then the operation is

- The SeLinux is the last resort access control mechanism in the system.

The system has a AVC (the vector cache) to speed up searches. If there
is no record about the result within the cache then the Security Server
is queried.

A set of filters could be placed between the SS and AVC
(security_compute_av()). The filters (constraints) then could drop some
allow messages. It could be useful when changing system behaviour
without the policy compilation and loading.

The SeLinux rules could be more complicated. Instead of simple allow
rule to certain interactions between object and subject they can define
the interacting (originator) object can change it's own "vector
definition" into another "vector". This type of behaviour is called

SeLinux context

# ls -lZ /etc/selinux/semanage.conf
-rw-r--r-- root root system_u:object_r:selinux_config_t

system_u -> user, it could not be identical with /etc/passwd user
object_r -> role, like the group, but SeLinux type
selinux_config_t -> type, the domain, most important

Extended attributes as clasification and sensitivity could be specified,
but we don't need them yet.

Selinux users

Selinux uses it's own users but you don't need to map the passwd user to
SeLinux user if the username is the same.

Creating your own policy

1) compile the module

$ checkmodule -M -m -o local.mod local.te

2) create the package

$ semodule_package -o local.pp -m local.mod

3) load the module into the kernel

$ semodule -i local.pp

The following example was created using audit2allow which generates
policy allow rules from logs of denied operations.

cat /var/log/audit/audit.log | audit2allow -M mynagios

module mynagios 1.0;

require {
type security_t;
type usr_t;
type ping_t;
type httpd_sys_script_t;
type load_policy_t;
class security load_policy;
class file { read write };
class fifo_file getattr;

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t usr_t:fifo_file getattr;

[ 7 comments ]   |  [ 0 trackbacks ]   |  permalink
Solaris network card IP alias 
# ifconfig interface:1 plumb
# ifconfig interface:1 netmask
# cat /etc/hostname.interface:1
# cat /etc/hosts | grep alias alias

[ add comment ]   |  [ 0 trackbacks ]   |  permalink
PS1 variable - prompt settings 
\a	The ASCII bell character (you can also type \007)
\d Date in "Wed Sep 06" format
\e ASCII escape character (you can also type \033)
\h First part of hostname (such as "mybox")
\H Full hostname (such as "")
\j The number of processes you've suspended in this shell by hitting ^Z
\l The name of the shell's terminal device (such as "ttyp4")
\n Newline
\r Carriage return
\s The name of the shell executable (such as "bash")
\t Time in 24-hour format (such as "23:01:01")
\T Time in 12-hour format (such as "11:01:01")
\@ Time in 12-hour format with am/pm
\u Your username
\v Version of bash (such as 2.04)
\V Bash version, including patchlevel
\w Current working directory (such as "/home/drobbins")
\W The "basename" of the current working directory (such as "drobbins")
\! Current command's position in the history buffer
\# Command number (this will count up at each prompt, as long as you type something)
\$ If you are not root, inserts a "$"; if you are root, you get a "#"
\xxx Inserts an ASCII character based on three-digit number xxx (replace unused digits with zeros, such as "\007")
\\ A backslash
\[ This sequence should appear before a sequence of characters that don't move the cursor (like color escape sequences). This allows bash to calculate word wrapping correctly.
\] This sequence should appear after a sequence of non-printing characters.


root (VM server1):# cat /etc/profile | tail -1
PS1="\u (VM server1):# "

[ add comment ]   |  [ 0 trackbacks ]   |  permalink
iSCSI filesystem (direct and VM zone) benchmark using bonnie++ 

initiator:  Linux 2.6 CentOS5.2 (Intel Xeon @3000, 2x Quadcore, 4GB)
target: Solaris 10u5 target (AMD Dualcore @2300, 1x dualcore, 4GB)
connection: connected using 1Gbit dedicated TP cable
method: bonnie++ -u root -d /dir/
TCP stack: default

The initiator:

root (VM server1):# ethtool eth1
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: g
Link detected: yes


(iSCSI target1):# dladm show-dev
nge0 link: up speed: 100 Mbps duplex: full
nge1 link: unknown speed: 0 Mbps duplex: unknown
e1000g0 link: up speed: 1000 Mbps duplex: full
e1000g1 link: up speed: 1000 Mbps duplex: full

Setup 1:

Direct test: Linux initiator connects target iSCSI, used with ext3.

	------Sequential Output------ --Sequential Input- --Random-
-Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP /sec %CP
8G 64534 79 37878 9 16037 3 26290 40 24539 1 225.6 0

Setup 2:

VmWare Server zone test: VmWare zone is accessing its filesystem which is a regular file ontop of host machine iSCSI/ext3 partition.

	------Sequential Output------ --Sequential Input- --Random-
-Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP /sec %CP
5G 12911 17 18164 3 12984 3 19130 33 21674 3 346.3 3

Conclusion: the VM zone disk access speed is too slow when the VM disk is a regular file ontop of VmWare server's iSCSI/ext3 filesystem. The io of the 64bit XP Windows zone seems to be yet worse than 64bit CentOS VM.

Setup 3:

VmWare ESXi zone directly accessing iSCSI.

	------Sequential Output------ --Sequential Input- --Random-
-Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP /sec %CP
5G 38094 47 33518 6 16307 4 32691 52 40159 4 276.3 1

[ add comment ]   |  [ 0 trackbacks ]   |  permalink
VmWare Server: how to enable 64bit virtualisation support with Xeon CPU 
On certain platforms the virtualisation support is disabled by default. You have to enable it in BIOS. On HP DL380 press F9, go to Advanced Options -> Processor Options -> Intel(R) Virtualization Technology -> Set it to Enable. Then VmWare Server will be able to run the 64bit VM system.

[ add comment ]   |  [ 0 trackbacks ]   |  permalink
Linux: manual target login 
The script handles the proper order of iSCSI device mounting to corresponding mount points.

# chkconfig: 345 13 89
# description: Logs into iSCSI targets by predefined order
# Source function library.
. /etc/init.d/functions




status iscsid

if [ $RETVAL -ne 0 ]; then
/etc/init.d/iscsid start

echo $"Setting up iSCSI targets: "

# iqn defined below
for iqn in `cat <<STRING
vol=`echo ${iqn} | awk -F"." '{ print $5 }'`
echo -n "login in: ${vol} "
iscsiadm -m node -T ${iqn} -p --login > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "check if the iSCSI device is not already mounted"
exit 255
dev=`dmesg | grep "Attached scsi disk" | tail -1 | cut -d" " -f6`
echo "mount /dev/${dev}1 /mnt/${vol}"
sleep 1
`mount /dev/${dev}1 /mnt/${vol}`
if [ $? -ne 0 ]; then
echo "*** PROBLEM WHILE MOUNTING: mount /dev/${dev}1 to /mnt/${vol} ***"
echo "check if the iSCSI device is not already mounted"
exit 255
sleep 1

touch /var/lock/subsys/iscsi

sleep 5
for vol in `mount | grep vol | cut -d" " -f3`; do `umount ${vol}`; done
sleep 5

rm -f /var/lock/subsys/iscsi

# If this is a final shutdown/halt, do nothing since
# lvm/dm, md, power path, etc do not always handle this
if [ "$RUNLEVEL" = "6" -o "$RUNLEVEL" = "0" -o "$RUNLEVEL" = "1" ]; then

# don't turn off iscsi if root is possibly on a iscsi disk
rootopts=$(awk '{ if ($1 !~ /^[ \t]*#/ && $2 == "/") { print $4; }}' /etc/mtab)
if [[ "$rootopts" =~ "_netdev" ]] ; then
echo $"Can not shutdown iSCSI. Root is on a iSCSI disk."
exit 1

iscsiadm -m node --logoutall=all
/etc/init.d/iscsid stop

case "$1" in
iscsiadm -m node
status iscsid
[ -f /var/lock/subsys/iscsi ] && restart
echo $"Usage: $0 {start|stop|restart|status|condrestart}"
exit 1
exit $RETVAL

[ 8 comments ]   |  [ 0 trackbacks ]   |  permalink
iSCSI: Linux initiator connects to Solaris target 
Solaris target:

Check if iSCSI service is running (initiator and target status):

(iSCSI target1):# svcs -a | grep iscsi
disabled 8:54:25 svc:/network/iscsi_initiator:default
disabled 8:54:26 svc:/system/iscsitgt:default

By default, on the vanilla Solaris the iscsitgt is disabled. Enable the service:

(iSCSI target1):# svcadm enable /system/iscsitgt

Set directory for iscsi target daemon saves:

# iscsitadm modify admin -d /iscsi

Prepare zfs pool, create some shared volumes:

(iSCSI target1):# zpool create -f tank /dev/dsk/c1t0d0s7
(iSCSI target1):# zfs create -s -V 8g tank/vol0[1..8]

You can share volumes using zfs option sharescsi=on. This is not recommended if you need to use extended iscsi attributes like TPGT.

The root cause of this issue, is that the ZFS zvol is the Solaris component offering persistence of this iSCSI Target. ZFS, due to its ease of management, does not support a means to associate iSCSI Target parameters, like TPGT with the shareiscsi attribute of a ZVOL, and rightfully so.

If you like the ease of shareiscsi, but wish to add additional iSCSI properties, enable shareiscsi, then issue "iscsitadm list target -v", retain the data, disable shareiscsi, and the configure the target, plus iSCSI properties yourself.

(iSCSI target1):# zfs set shareiscsi=on tank/vol0[1..8]

The other way - share volumes using iscsitadm:

(iSCSI target1):# iscsitadm create target -b /dev/zvol/rdsk/tank/vol0[1..8] vol0[1..8]

(iSCSI target1):# iscsitadm list target -v
Target: vol08
iSCSI Name:
Connections: 0
ACL list:
TPGT list:
LUN information:
LUN: 0
Type: disk
Size: 8.0G
Backing store: /dev/zvol/dsk/tank/vol08
Status: online

Linux initiator:

Install all required (CentOS5.2 distro):

(VM server1):# yum list | grep iscsi
iscsi-initiator-utils.x86_64 base
(VM server1):# yum install iscsi-initiator-utils
(VM server1):# service iscsid start
(VM server1):# chkconfig iscsid on

I would like to use fast Gbit link which connects initiator and target. Gigabit is on eth1:

(VM server1):# iscsiadm -m iface -I iface1 --op=new
New interface iface1 added

Add iface1 MAC address:

(VM server1):# iscsiadm -m iface -I iface1 --op=update -n iface.hwaddress -v 00:1F:29:E7:C2:7E 
iface1 updated.

Discovery of targets via Gbit interface:

(VM server1):# iscsiadm -m discovery -t st -p -I iface1 -P 1
Iface Name: iface1
Iface Name: iface1
Iface Name: iface1
Iface Name: iface1
Iface Name: iface1
Iface Name: iface1

List all the iSCSI active sessions:

 # iscsiadm -m session

Restart iscsi, scan for a new volumes, create partitions:

(VM server1):# fdisk -l | grep "Linux" | sort
/dev/cciss/c0d0p1 * 1 1044 8385898+ 83 Linux
/dev/cciss/c0d0p2 1045 1305 2096482+ 82 Linux swap / Solaris
/dev/cciss/c0d0p3 1306 17840 132817387+ 83 Linux
/dev/sda1 1 8192 8388592 83 Linux
/dev/sdb1 1 8192 8388592 83 Linux
/dev/sdc1 1 8192 8388592 83 Linux
/dev/sdd1 1 8192 8388592 83 Linux
/dev/sde1 1 8192 8388592 83 Linux
/dev/sdf1 1 8192 8388592 83 Linux
/dev/sdg1 1 8192 8388592 83 Linux
/dev/sdh1 1 8192 8388592 83 Linux

SeLinux prevents you from attaching iSCSI volumes by default, some selinux magic cure below:

(VM server1):# dmesg | tail -1
audit(1204865870.929:115): avc: denied { search } for pid=4609 comm="iscsid" name="iscsi" dev=cciss/c0d0p3 ino=20742200 scontext=user_u:system_r:iscsid_t:s0 context=user_u:object_r:rpm_var_lib_t:s0 tclass=dir
(VM server1):# setsebool -P iscsid_disable_trans=1

Extended options: TGPT

We use TPGT to tell the system on which interface (or interfaces) our iSCSI target binds. Create group 1, then add IP of the local interface:

(iSCSI target1):# iscsitadm create tpgt 1
(iSCSI target1):# iscsitadm modify tpgt -i 1
(iSCSI target1):# iscsitadm list tpgt -v
IP Address:

You can delete TPGT via:
# iscsitadm delete tpgt -i 1

Assign group 1 to iSCSI target vol0[1..8]:

(iSCSI target1):# iscsitadm modify target -p 1 vol0[1..8]

Check TPGT:

(iSCSI target1):# iscsitadm list target -v vol01
Target: vol01
iSCSI Name:
Connections: 1
iSCSI Name:
ACL list:
TPGT list:
LUN information:
LUN: 0
GUID: 010000144fe6e00800002a0048f59ed8
Type: disk
Size: 8.0G
Backing store: /dev/zvol/dsk/tank/vol01
Status: online

Extended options: CHAP

Set CHAP username/password for Linux initiator:

iscsiadm -m node -T -p --op=update --name=node.session.auth.authmethod --value=CHAP
iscsiadm -m node -T -p --op=update --name=node.session.auth.username --value=username
iscsiadm -m node -T -p --op=update --name=node.session.auth.password --value=password

Extended options: Solaris target with volumes (LUNs)

You can create one target with more volumes on it like SCSI can. The target is just single iqn, but you should be able to address separate volumes.

(iSCSI target1):# iscsitadm create target -u 0 -b /dev/zvol/rdsk/tank/vol17 vol170
(iSCSI target1):# iscsitadm create target -u 1 -b /dev/zvol/rdsk/tank/vol18 vol170
(iSCSI target1):# iscsitadm create target -u 2 -b /dev/zvol/rdsk/tank/vol19 vol170
(iSCSI target1):# iscsitadm create target -u 3 -b /dev/zvol/rdsk/tank/vol20 vol170

[ 5 comments ]   |  [ 0 trackbacks ]   |  permalink
Linux: Openfiler iSCSI target 
Openfiler pages

Openfiler is a powerful, intuitive browser-based network storage software distribution. Openfiler delivers file-based Network Attached Storage and block-based Storage Area Networking in a single framework.

[ add comment ]   |  [ 0 trackbacks ]   |  permalink
Linux: Limit ssh attepmpts 
Limit ssh attempts to 3/min. Useful.

echo "*** SSH brute force - begin ***"
$IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW \
-m recent --set

$IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
echo "*** SSH brute force - end ***"

The standard iptables RH/CentOS script could then be:

[root@xen ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 -j REJECT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

[ 8 comments ]   |  [ 0 trackbacks ]   |  permalink
A very brief introduction to SeLinux problem troubleshooting 
If something is not working and you know that it should, you are on RedhHat or CentOS and you have the SeLinux enabled, then it is the right time to suspect SeLinux to be murderer.

In this example we will try to solve apache problem. Apache can't read the index.html file which he has permission to read.

The setroubleshoot is suprisingly made for that. The name itself is self explanatory, but I have to admit I was not familiar with the existence of such tool. We will install tool, or better a set of tools and the setroubleshoot daemon:

# yum install setroubleshoot

and run the service:

# service setroubleshoot start

Now, in my case, repeat the action which should work and check /var/log/messages:

Oct 14 17:33:26 setroubleshoot: SELinux is preventing the httpd from \
using potentially mislabeled files \
(/var/www/html/homes/my_new_virtual_home/index.html). \
For complete SELinux messages \
run sealert -l 88a55a70-b798-43b4-bcfb-32c8918e436d

Whoa, the "sealert" command gives you even some explanation on this:

SELinux has denied httpd access to potentially mislabeled file(s)
(/var/www/html/homes/my_new_virtual_home/index.html). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories.
The problem is that the files end up with the wrong file context which confined applications are not allowed to access.

The command also tells you how you can fix it, at least for my specific case. It offered me to clear the security context on the files using restorecond, but this would not be useful because I had special setup when my home directory were within the httpd root subdirectory. Therefore the files were marked as common user files and not the webserver's. I needed to change the selinux attributes on file/s the apache is trying to access. You can check the se_context of all the files on the system using:

# ls -Z index.html
-rw-r--r-- alchy alchy user_u:object_r:user_home_dir_t index.html

In my case I had to set my file as the httpd_sys_content_t type to allow apache to read it. After the change the attributes looked like:

# ls -Z index.html
-rw-r--r-- alchy alchy user_u:object_r:httpd_sys_content_t index.html

I used the command:

# chcon -R -h -t httpd_sys_content_t \

I simply set the content & directory to "httpd_sys_content_t"; I say the files here are regular static web pages. Some further reading.

I wil put together some more deep talk about the SeLinux later.

To boot without selinux selinux=0 in boot parameters.

[ add comment ]   |  [ 0 trackbacks ]   |  permalink

<<First <Back | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | Next> Last>>