SELinux problem after running audit2allow

[myo]

All of the output I see is the same.

`audit2allow -d: shows nothing.

`grep "avc: denied" /var/log/messages': shows nothing

and

`php poller.php still gives:

Code: Select all

05/26/2005 09:50:38 AM - POLLER: Poller[0] DEBUG: About to Spawn a Remote Process [CMD: /usr/bin/php, ARGS: -q /var/www/html/cacti/cmd.php 0 0]
05/26/2005 09:50:38 AM - POLLER: Poller[0] DEBUG: About to Spawn a Remote Process [CMD: /usr/bin/php, ARGS: -q /var/www/html/cacti/cmd.php 3 3]
Waiting on 2/2 pollers.
Waiting on 1/2 pollers.
Waiting on 1/2 pollers.
05/26/2005 09:50:41 AM - SYSTEM STATS: Time: 3.0473 s, Method: cmd.php, Processes: 15, Threads: N/A, Hosts: 2, Hosts/Process: 1

I am at a loss for what I might want to do next.

[mshook]

I'm kinda at loss too on this one. Try to enable the debug output for the poller and run it again (edit: Nevermind you have it enabled already). We'll see what it has to say.

One thing for the sake of it, you can disable SElinux at runtime by executing: setenforce 0

Try again and let us know.

- Mathieu

[myo]

I set /etc/selinux/config

SELINUX=permissive

And did init 6 and after the reboot, the situation is unchanged...except now audit2allow -d gives me:

allow httpd_t selinux_config_t:file { getattr read };
allow snmpd_t selinux_config_t:file { getattr read };

Does this change anything?

I'm sorry for being a pesky n00b.

[mshook]

I set /etc/selinux/config

SELINUX=permissive

Permissive is just: permissive - SELinux prints warnings instead of enforcing.

So eventhough you're getting "avc: denied" in the logs, it should work (TM), no?

I'm sorry for being a pesky n00b.

No problem.

[Frances]

This might not be even marginally helpful, and I don't mean to intrude. I'm not much of an selinux expert, but when I've had selinux related difficultes with various software, I've disabled selinux at run-time for testing purposes by doing...

Code: Select all

echo "0" > /selinux/enforce

...to ensure that selinux is actually responsible for the difficulty.

I've had strangely inconsistant results with 'setenforce 0' for some odd reason.

[tekbot]

First off, I'd like to say, thanks to all the people who have posted in this thread. I have built cacti on 4 servers now, and this is the first time I ran into the issue of graphs not being created due to the selinux policy.

setenforce 0 worked wonders for me.

I have a couple of questions, though.

1) Will the level selinux is currently running at (0) maintain after I reboot this server, or is this something I'll need to do everytime I restart?

2) What kind of security implications of this action should I be aware of? Is there anything more stringent I can do to allow my rrd/cacti to run while not completely disabling this security feature? Any information on this topic would be great.

Personally, I'm more of a debian guy, and this selinux thing is completely new to me. Thanks

[mshook]

1) Will the level selinux is currently running at (0) maintain after I reboot this server, or is this something I'll need to do everytime I restart?

You'll have to do it everytime. Look at /etc/selinux/config to change this

2) What kind of security implications of this action should I be aware of? Is there anything more stringent I can do to allow my rrd/cacti to run while not completely disabling this security feature? Any information on this topic would be great.

http://fedora.redhat.com/docs/selinux-faq-fc3/