[Novalug] SL 6.2 and selinux and weblogic in httpd
Dan Lavu
dan@lavu.net
Sat Apr 28 00:35:30 EDT 2012
Brander,
A couple of things, this threw me for a loop in the beginning too.
chcon does not change the selinux policy, if you did a restorecon you will
lose all of your settings, it is a great way to test your policy change,
so yes, use chcon first if you are unsure, then use 'semanage', syntax is
like
semanage fcontext -a -s %user -t %type "/hard/path(/.*)?"
then you can do a restorecon to apply the changes.
'semanage fcontext -l' to list the current target policy... use grep,
trust me.
Now with that being said, you might find a Boolean to edit your current
policy in /selinux/boolean,
setsebool -P %bool_var 1
so you don't have to edit each file, more than likely, any RPM package has
a built in policy so you don't have to hack it and if that doesn't work,
create a bug report with the package, most of these guys wants to know if
their software is being hosed by selinux and they will modify their rpm
package to permit it.
If that fails, you can go through each line in the audit file but they're
much easier ways to read it, try
audit2why < /var/log/audit/auditlog
audit2allow -a
audit2allow -m %module # will arbitrary allow *anything* that is wrong in
your audit log, dirty, it works, but you should understand what your
permitting.
I hope this helps.
Dan
-----Original Message-----
From: novalug-bounces@calypso.tux.org
[mailto:novalug-bounces@calypso.tux.org] On Behalf Of Brander Snaxe
Sent: Friday, April 27, 2012 6:08 PM
To: Chuck Frain
Cc: novalug mailing list
Subject: Re: [Novalug] SL 6.2 and selinux and weblogic in httpd
Here's what's int he audit log.
type=AVC msg=audit(1335558067.835:25753): avc: denied { search } for
pid=1190
9 comm="httpd" name="WLSPlugin11g-64bit-Apache2.2-linux64-x86_64" dev=dm-0
ino=1712208 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
I did all of this and the httpd server started up:
[root@goomba opt]# history | grep chcon
184 man chcon
194 chcon -t httpd_modules_t mod_wl.so
196 chcon -u system_u mod_wl.so
203 chcon -u system_u *
204 chcon -t httpd_modules_t *
214 history | grep chcon
215 chcon -t httpd_modules_t
WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/
216 chcon -t httpd_modules_t
WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/lib
217 chcon -u system_u WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/
218 chcon -u system_u WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/lib
220 history | grep chcon
Now i'm wondering if this is correct, or what. It looks like I need to
read the docs. Any pointers or fastrack suggestions so I don't keep asking
the obvious?
Thanks!
----- Original Message -----
From: Chuck Frain <chuck@chuckfrain.net>
To: Brander Snaxe <brandon20va@yahoo.com>
Cc:
Sent: Friday, April 27, 2012 5:32 PM
Subject: Re: [Novalug] SL 6.2 and selinux and weblogic in httpd
The first thing I do is check that SELinux is indeed the blocker issue.
Set it to permissive or disable it all together and see if your
application works as expected. If it does, then pursue the SELinux stuff
that you need to make it work.
I often find that SELinux is not the problem.
On Fri, 27 Apr 2012, Brander Snaxe wrote:
>
>
> I have installed Scientific Linux 6.2 and am trying to configure
WebLogic 11g behind Apache.
>
> I have a feeling SELINUX is causing me problems with the WebLogic
module. I know there have been discussions on this list about SELINUX.
What's the 'proper' way to allow this to work?
>
>
>
> [root@goomba conf.d]# service httpd start Starting httpd: httpd:
> Syntax error on line 221 of /etc/httpd/conf/httpd.conf: Syntax error
> on line 1 of /etc/httpd/conf.d/weblogic.conf: Cannot load
> /opt/WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/lib/mod_wl.so into
> server:
> /opt/WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/lib/mod_wl.so: cannot
> open shared object file: Permission denied
> [FAILED]
> [root@goomba conf.d]# ls -l
> /opt/WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/lib/mod_wl.so
> -rwxr-xr-x. 1 root root 337639 Dec 2 05:03
> /opt/WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/lib/mod_wl.so
> [root@goomba conf.d]# grep enforcing /etc/selinux/config #
> enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> SELINUX=enforcing
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
--
Chuck Frain
GPG Key: B2420431
http://www.chuckfrain.net
_______________________________________________
Novalug mailing list
Novalug@calypso.tux.org
http://calypso.tux.org/mailman/listinfo/novalug
More information about the Novalug
mailing list