[or-cvs] r20809: {} Add a basic SELinux README to help diagnose+correct SELinux (projects/misc-sysadmin/selinux)

mikeperry at seul.org mikeperry at seul.org
Wed Oct 21 23:08:31 UTC 2009 

Author: mikeperry
Date: 2009-10-21 19:08:31 -0400 (Wed, 21 Oct 2009)
New Revision: 20809

Added:
   projects/misc-sysadmin/selinux/README
Log:

Add a basic SELinux README to help diagnose+correct SELinux issues.



Added: projects/misc-sysadmin/selinux/README
===================================================================
--- projects/misc-sysadmin/selinux/README	                        (rev 0)
+++ projects/misc-sysadmin/selinux/README	2009-10-21 23:08:31 UTC (rev 20809)
@@ -0,0 +1,51 @@
+If you suspect selinux is causing you problems, run the following command as
+root and restart your daemons:
+
+setenforce 0
+
+If this does not solve the problem, it is likely not an SELinux problem. When
+you do solve it, re-enable selinux with:
+
+setenforce 1.
+
+If the problem does go away with 'setenforce 0', read on.
+
+SELinux is an access control system that works via the concept of labels.
+Everything on the filesystem is labeled, as well as network sockets and
+process capabilities. Processes have labels, which are granted the right to
+touch other labels via the policy.
+
+You can view the labels of every process on the system with:
+ps xaZ
+
+You can view the labels of files on the filesystem with:
+ls -laZ
+
+If you are getting weird permissions errors on your daemons, the first thing
+you should do is:
+audit2allow < /var/log/audit/audit.log 
+
+This will list any additional rules you may need to create to allow your
+daemon to run. 
+
+You can create a policy file from that output by pasting the relevant output
+into a .te file. See the subdirectories here for examples. Note that all of
+the label types you use need to be declared in a require block, and that your
+module should be given a unique name at the top of the file.
+
+Once you have the file written, you can compile and load it using the
+install.sh script in this directory. Once it is loaded, you should run:
+
+/etc/init.d/auditd stop
+rm /var/log/audit/audit.log
+/etc/init.d/auditd start
+
+and then restart your daemon and test again. If there are still problems,
+you can wash, rinse+repeat, or you can do 'setenforce 0' and let it run for 
+a while to accumulate log entries before you run audit2allow again to
+add in more rules.
+
+
+
+
+

More information about the tor-commits mailing list