On Wed, Jun 29, 2011 at 12:29 AM, <no-re...@cfengine.com> wrote: > Forum: Cfengine Help > Subject: Re: CFEngine in co-existance with SELINUX > Author: davidlee > Link to topic: https://cfengine.com/forum/read.php?3,22644,22655#msg-22655 > > It's a couple of years since I got close to doing hand-to-hand combat with > SELinux, and even then I mostly chickened out. And I've been away from an > SELinux since then, until just recently. > > I understand that the message "SELinux is preventing ...", when the system is > in permissive mode, is merely shorthand for what would have happened if the > system had been in enforcing mode. (Indeed, that is the main purpose of > "permissive", isn't it?) The "sealert" explains in more detail: try an > example. > > Deb raises a good general point, which I believe we ought to acknowledge. At > my site, we have just installed some RHEL machines, and the installation > defaults to "enforcing". (We opted for "permissive"!) And Fedora similarly > wants to encourage the end-user to use SELinux. > > My own view is that it would be prudent for the "cfengine" installation > itself to be SELinux-aware, so that at least its own internal workings work > cleanly with SELinux. Our own log files are loaded with messages of the form > "SELinux is preventing ifconfig (ifconfig_t) "write" to > /var/cfengine/outputs/..."; these messages, referring to cfengine's own > files, really should not be there. (Now if a site writes cfengine rules > which edit system files, that might be a different matter, but even there one > would hope that cfengine would preserve SELinux settings on pre-existing > files.) > > So I think Deb raises a valid point about the great desirability of cfengine > working co-operatively with SELinux.
There are two bug tickets on this at redhat.com: 1. https://bugzilla.redhat.com/show_bug.cgi?id=665935 Daniel Walsh 2010-12-28 08:15:06 EST (who's done a lot of work on SELinux under Red Hat) comments: "cfengine should open its log files for append, not write." That sounds like it would fix the issue, if it doesn't break something else inside cfengine? 2. https://bugzilla.redhat.com/show_bug.cgi?id=607451 gives an SELinux policy you could apply to filter out these messages (in other words, a workaround) Best, -at _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
