Mordac The Preventer of Informations Services Strikes after a yum update

Written by James McDonald

September 14, 2015

SeLinux … Ah the serenity

If you haven’t rebooted a box in many days and then do yum update you may find that your seLinux policy now denies access to some of your processes. This is especially true if you have made changes to the default configuration files meaning they now point to a place that a default seLinux policy won’t allow.

So here is the process to fix it

Firstly have a look at the problems with audit2allow and then turn off selinux at the command line to check if the problem is seLinux

# to show errors
# -w is make it human readable
# -a is read from audit.log
audit2allow -w -a 

# to check if its selinux
setenforce 0
service syslog-ng restart 
... [OK]

setenforce 1
service syslog-ng restart
...[FAIL]

Then create the policies you need make it work

# filter so you don't get things
# unrelated to the service you are trying to fix
grep syslog-ng /var/log/audit/audit.log | audit2allow -M syslog-ng

# install the module
semodule -i syslog-ng.pp

Ref: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

 

0 Comments

Trackbacks/Pingbacks

  1. nginx suddenly can’t proxy to non-standard ports – Boolean SeLinux | The Southern IT Observer - […] If you need to create an seLinux policy to allow nginx to do what it does to non-standard ports……

Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

You May Also Like…

Squarespace Image Export

To gain continued access to your Squarespace website images after cancelling your subscription you have several...

MySQL 8.x GRANT ALL STATEMENT

-- CREATE CREATE USER 'tgnrestoreuser'@'localhost' IDENTIFIED BY 'AppleSauceLoveBird2024'; GRANT ALL PRIVILEGES ON...

Exetel Opt-Out of CGNAT

If your port forwards and inbound and/or outbound site-to-site VPN's have failed when switching to Exetel due to their...