[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Install problem on RHEL 5.1

Subject: Re: Install problem on RHEL 5.1
From: Alan Wolfe <..hidden..>
Date: Mon, 24 Dec 2007 11:33:00 -0600 (CST)

This is definitely an SELinux issue. I tried permissive mode and theproblem instantly disappeared. I got the LedgerSMB Administration loginpage, and could login normally. I did not have to change any configfiles. When I switched back to enforcing mode, the problem instantlyreappeared.

I don't see how psql does it. With psql, I can log into the database viaa socket connection in enforcing mode as well as in permissive mode. Nodifficulty either way.

I need to figure out how to open this connection in enforcing mode. Ifanyone knows how to do this, please let me know.


Thanks,

Alan Wolfe


P.S.  Here are some details from my tests:

setenforce = 1 (enforcing mode) - with local psql logged-in connection:

# netstat -an |grep 5432
tcp        0      0 127.0.0.1:5432              0.0.0.0:*                   LISTEN
unix  2      [ ACC ]     STREAM     LISTENING     873661 /tmp/.s.PGSQL.5432
unix  3      [ ]         STREAM     CONNECTED     2226019 /tmp/.s.PGSQL.5432

setenforce = 0 (permissive mode) - with httpd / admin.pl logged-in connection:

# netstat -an |grep 5432
tcp        0      0 127.0.0.1:5432              0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:46589             127.0.0.1:5432              TIME_WAIT
tcp        0      0 127.0.0.1:46590             127.0.0.1:5432              TIME_WAIT
unix  2      [ ACC ]     STREAM     LISTENING     873661 /tmp/.s.PGSQL.5432


 Permissions on socket in /tmp (regardless of psql or httpd connection):

# ls -lZ /tmp/.s.PGSQL.5432*srwxrwxrwx postgres postgres user_u:object_r:postgresql_tmp_t /tmp/.s.PGSQL.5432

-rw-------  postgres postgres user_u:object_r:postgresql_tmp_t /tmp/.s.PGSQL.5432.lock


 Permissions on httpd (can connect via socket only in permissive mode):

# ls -lZ /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd


 Permissions on psql (can connect via socket in enforcing mode):

# ls -lZ /usr/bin/psql
-rwxr-xr-x  root root system_u:object_r:bin_t          /usr/bin/psql

These are the general selinux settings in permissive mode:

# setenforce 0
# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

Process contexts:
Current context:                user_u:system_r:unconfined_t
Init context:                   system_u:system_r:init_t
/sbin/mingetty                  system_u:system_r:getty_t
/sbin/agetty                    system_u:system_r:getty_t
/usr/sbin/sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh

File contexts:
Controlling term:               user_u:object_r:devpts_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/bash                       system_u:object_r:shell_exec_t
/bin/login                      system_u:object_r:login_exec_t
/bin/sh                         system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/mingetty                  system_u:object_r:getty_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t ->
system_u:object_r:lib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t ->
system_u:object_r:ld_so_t

And these are the selinux settings in default enforcing mode:

# setenforce 1
# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

Process contexts:
Current context:                user_u:system_r:unconfined_t
Init context:                   system_u:system_r:init_t
/sbin/mingetty                  system_u:system_r:getty_t
/sbin/agetty                    system_u:system_r:getty_t
/usr/sbin/sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh

File contexts:
Controlling term:               user_u:object_r:devpts_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/bash                       system_u:object_r:shell_exec_t
/bin/login                      system_u:object_r:login_exec_t
/bin/sh                         system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/mingetty                  system_u:object_r:getty_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t ->
system_u:object_r:lib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t ->
system_u:object_r:ld_so_t




On Sun, 16 Dec 2007, Chris Travers wrote:

This could be an SELinux issue (try setting to Permissive and see if the
problem goes away) or a file permission issue.   Normally the sockets are
created and accessed in /tmp.

Best Wishes,
Chris Travers

References:
- Install problem on RHEL 5.1
  - From: Alan Wolfe
- Re: Install problem on RHEL 5.1
  - From: Chris Travers

Prev by Date: Ledgersmb on Vector Linux / Slackware 12
Next by Date: Re: Ledgersmb on Vector Linux / Slackware 12
Previous by thread: Re: Install problem on RHEL 5.1
Next by thread: malformed header
Index(es):
- Date
- Thread