selinux

Do you disable SELinux?

I want to know if people here typically disable SELinux on installations where it is on by default? If so can you explain why, what kind of system it was, etc? I'd like to get as many opinions on this as possible. ...

Is it possible to limit standard streams available to linux at the process level?

I would like to be able to spawn a linux process that would only have access to stdin, stdout, and stderr (nothing more and nothing less). Can I do this at the process level itself? I am also implicitly stating (oxymoron) that I don't want the spawned process to be able to change the "thing" that the other end of the stream points to. ...

Best security practices in Linux

What security best-practices would you strongly recommend in maintaining a Linux server? (i.e. bring up a firewall, disable unnecessary services, beware of suid executables, and so on.) Also: is there a definitive reference on Selinux? EDIT: Yes, I'm planning to put the machine on the Internet, with at least openvpn, ssh and apache (at...

LDAP won't update if cached data exists

We have an SELinux client that authenticates network users using LDAP connecting to an Active Directory server. Since our machines have to operate "untethered," we have to use nscd to cache group and passwd info. Here's the issue. If we change group information on the Active Directory server, then log in on the client, if a cache exists...

How to debug an issue of cron's not executing a given script -- or other?

I have a Rails script that I would like to run daily. I know there are many approaches, and that a cron'd script/runner approach is frowned upon by some, but it seems to meet my needs. However, my script is not getting executed as scheduled. My application lives at /data/myapp/current, and the script is in script/myscript.rb. I can r...

How do you automate the launching/debugging of large scale projects?

Scenario: There is a complex piece of software that is annoying to launch by hand. What I've done is to create a python script to launch the executable and attach gdb for debugging. The process launching script: ensures an environment variable is set. ensures a local build directory gets added to the environment's LD_LIBRARY_PATH var...

SELinux and JAVA

Are there any best practices to handle Java applications with SELinux? Is it able to configure SELinux for each Java App or can only the VM be handled because it makes the finale system calls? thanks ...

SELinux, Fedora, and Trusted Applet crashing?

For some reason, if I run Firefox 3.5.x under Fedora 11 with SELinux enabled, my browser crashes when I attempt to embed the applet dynamically. Under Windows, Ubuntu, and Mac, the user is prompted to trust the signer and then trust the executing java applet, but under Fedora, I never see this prompt. If I disable SELinux, I get NO promp...

Is there a way to build a libxml2 without text relocations on Linux?

Good afternoon, I am having difficulties with libxml2. I tried to build the Perl module XML-LibXML which is part of our standard runtime environment. However, this time the installation on a RHEL5 box failed, because the build process complained about missing libxml2: $> perl Makefile.PL LIB=/foo/lib/perl PREFIX=/foo INSTALLDIRS=site...

Log files not being written to (Passenger)

Locally, my app runs fine on and writes to its logs. My production server is running CentOS with an Apache server running Passenger. When trying to debug, I noticed my log files were not being written to. First thing I did was chmod 0666 them, and when I found out that didn't work I looked at my apache log. I found this: Rails Error: Un...

SELinux Prevents Java from Running

Hi All, I recently installed Sun Java on a system with a fairly basic SELinux install on it. I'm running Debian Etch and installed the Sun Java package from the non-free package repository. Here are the error notices that appear in the syslog when I run java -version. `Feb 9 14:02:40 dev kernel: audit(1265742160.570:4107): avc: de...

SElinux integrety check

How can i check (with SELinux) access to the file by process name? For examle: we have 2 process: * /usr/bin/foo1 * /usr/bin/foo2 They are run under account with username userA and try to open for modify file: /home/userA/test.txt I want that if foo1 try to open file - it's ok. But if foo2 try to open this file - i have message...

Run Apache on port 81 with SeLinux Off

I have done "semanage port -a -t http_port_t -p tcp 81" and modified httpd.conf to listen on port 81. After restart httpd service it is not working. but it is working with default port 80. I have checked my SeLinux and it is in fact disabled. Can some one get me out of it? ...

PHP Write Permission - FC13

I have recently installed FC13 and am attempting to write a mechanism in my PHP code that caches gathered data into a specific directory (for our purposes here, let's call it /var/www/html/_php_resources/cache). I copy my files over to the /var/www/html directory and then run chown -R apache:apache /var/www/html/* and chmod a+w /var/www...

Why am I getting a SegFault when I call pdftk from PHP/Apache but not PHP/CLI or directly

When I call /usr/local/bin/pdftk from PHP in Apache (via shell_exec(), exec(), system(), etc.), it returns the SYNOPSIS message as expected. When I call /usr/local/bin/pdftk input.pdf fill_form input.fdf output output.pdf flatten via shell_exec(), nothing returns. When I copy and paste the exact same string to the same path in the shel...

Can't access to a user jailed by Jailkit

I am trying to jail a user, not permitting it to access anything besides it's home directory. I have installed this Jailkit, and jailed a user named customer01 as it described at Jailkit's official site. Seems I got everything correct besides some PAM configurations. When trying to switch the user to customer01 by su customr01 and typin...

Giving a unix process exclusive RW access to a directory

Is there a way to sandbox a linux process into a certain directory, and give this process exclusive rw access to this dir? For example, create a temporary working directory, and start e.g. python or another scripting tool in such a way that it can only write in this directory, without limiting too much of its functionality. And also that...