Re: SELinux & PSP 7.80 on RHEL5

Dale Ogilvie · ‎05-20-2007

Hello,

since installing the 7.80 PSP on RHEL5 I am getting a bunch of SELinux violations reported.

How can I resolve these errors? Is this expected behaviour from the PSP?

SELinux is preventing /sbin/ethtool (ifconfig_t) "read" to socket: (var_log_t).

SELinux is preventing the /sbin/ethtool from using potentially mislabeled files (/tmp/eth0.noopt).

SELinux is preventing /sbin/ip (ifconfig_t) "read write" to socket: (initrc_t).

SELinux is preventing /usr/sbin/lvm (lvm_t) "unlink" to .cache (lvm_etc_t).

SELinux is preventing /usr/sbin/prelink (prelink_t) "read" on libcmacommon.so.1.0 (usr_t).

SELinux is preventing /usr/sbin/snmpd (snmpd_t) "append" to /var/spool/compaq/cma.log (var_spool_t).

SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t).

Thanks

Dale

Chris Rosan · ‎05-21-2007

Dale,

I found SELINUX to be more headache than it's worth and i always disable it on install now. Unless your machine is DIRECTLY (no other firewall protecting it) internet facing and potentially subject to real hack attempts, iptables firewalling should be enough i would think. I've been running a number of high load direct internet facing servers for a number of years and never had a problem, with strict security employed.

Dale Ogilvie · ‎05-22-2007

I suppose I could disable SELinux... But I would have thought that given that SELinux being enabled is the default RedHat install option, the PSP would play nice with it. Or at least have a note somewhere describing how to handle SELinux errors. With my default Redhat install I suspect I only have a "mostly-functional" server after installing the PSP, which is not an improvement.

I would prefer that HP would provide instructions for installing the PSP on the default RHEL install (which includes SELinux enabled). If the instruction was "disable SELinux" that would be something, at the moment the PSP just causes errors on RHEL5 out of the box. My other alternative is to just go with the default RHEL install, as it was working perfectly before I applied the PSP.

I reckon this is poor work from HP with this PSP.

Chris Rosan · ‎05-22-2007

selinux is very new. It will basically whinge on ANYTHING that isn't standard in linux, not necessarily just in Redhat. Eg i believe you have to modify the SELINUX rules if you install something like Redhat Application server (even though it's from Rehdat), and even if you run http daemon on a different port (for obsecurity for say access to internal site or web based email system).

What i did when i fixed the orignal server I had was to set it to "warn", with a view of enabling it as i went on, but there was just TOO much in my environment that didn't conform.

Redhat & Linux have a lot of stuff enabled that is junk/not required. I think Redhat 5 is the first that doesn't install PCMCIA drivers in a server designed operating system. If i was installing this on a laptop and still needed PCMCIA, i'd be happy to manually install it later. It could at least determine if you had PCMCIA slots before installing the drivers....

Dale Ogilvie · ‎05-22-2007

Well, I have just installed a big java based content management system on this server, and it doesn't cause any SELinux errors, only the PSP does...so far.

RedHat certainly recommend leaving SELinux enabled, HP's PSP says nothing on the subject (that I can find) and just leaves my server with SELinux violations for Africa.

I have had a number of recommendations just to disable that SELinux, maybe that's the best option, but HP's support pack should not muck up my server.

Chris Rosan · ‎05-22-2007

My experience was in the early days of SELINUX.

I'd also suggest that the PSP & its features (particulary the alerts etc) will be MUCH more useful that the Selinux.

However, you should be able to allow it to do what it needs. I've never set Selinux up but you should be able to find something... Redhat may have a gui for it now.

Re: SELinux & PSP 7.80 on RHEL5

SELinux & PSP 7.80 on RHEL5