[Novalug] SL 6.2 and selinux and weblogic in httpd

Dan Lavu dan@lavu.net
Sat Apr 28 00:35:30 EDT 2012


Brander,

A couple of things, this threw me for a loop in the beginning too.

chcon does not change the selinux policy, if you did a restorecon you will
lose all of your settings, it is a great way to test your policy change,
so yes, use chcon first if you are unsure, then use 'semanage', syntax is
like

semanage fcontext -a -s %user -t %type "/hard/path(/.*)?"

then you can do a restorecon to  apply the changes.

'semanage fcontext -l' to list the current target policy... use grep,
trust me.

Now with that being said, you might find a Boolean to edit your current
policy in /selinux/boolean,

setsebool -P %bool_var 1

so you don't have to edit each file, more than likely, any RPM package has
a built in policy so you don't have to hack it and if that doesn't work,
create a bug report with the package, most of these guys wants to know if
their software is being hosed by selinux and they will modify their rpm
package to permit it.

If that fails, you can go through each line in the audit file but they're
much easier ways to read it, try

audit2why < /var/log/audit/auditlog

audit2allow -a

audit2allow -m %module # will arbitrary allow *anything* that is wrong in
your audit log, dirty, it works, but you should understand what your
permitting.

I hope this helps.

Dan

-----Original Message-----
From: novalug-bounces@calypso.tux.org
[mailto:novalug-bounces@calypso.tux.org] On Behalf Of Brander Snaxe
Sent: Friday, April 27, 2012 6:08 PM
To: Chuck Frain
Cc: novalug mailing list
Subject: Re: [Novalug] SL 6.2 and selinux and weblogic in httpd

Here's what's int he audit log.



type=AVC msg=audit(1335558067.835:25753): avc:  denied  { search } for
pid=1190
9 comm="httpd" name="WLSPlugin11g-64bit-Apache2.2-linux64-x86_64" dev=dm-0
ino=1712208 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir

I did all of this and the httpd server started up:
[root@goomba opt]# history | grep chcon
  184  man chcon
  194  chcon -t httpd_modules_t mod_wl.so
  196  chcon -u system_u mod_wl.so
  203  chcon -u system_u *
  204  chcon -t httpd_modules_t *
  214  history | grep chcon
  215   chcon -t httpd_modules_t
WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/
  216   chcon -t httpd_modules_t
WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/lib
  217  chcon -u system_u WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/
  218  chcon -u system_u WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/lib
  220  history | grep chcon

Now i'm wondering if this is correct, or what. It looks like I need to
read the docs. Any pointers or fastrack suggestions so I don't keep asking
the obvious?

Thanks!



----- Original Message -----
From: Chuck Frain <chuck@chuckfrain.net>
To: Brander Snaxe <brandon20va@yahoo.com>
Cc:
Sent: Friday, April 27, 2012 5:32 PM
Subject: Re: [Novalug] SL 6.2 and selinux and weblogic in httpd

The first thing I do is check that SELinux is indeed the blocker issue.
Set it to permissive or disable it all together and see if your
application works as expected. If it does, then pursue the SELinux stuff
that you need to make it work.

I often find that SELinux is not the problem.

On Fri, 27 Apr 2012, Brander Snaxe wrote:

>
>
> I have installed Scientific Linux 6.2 and am trying to configure
WebLogic 11g behind Apache.
>
> I have a feeling SELINUX is causing me problems with the WebLogic
module. I know there have been discussions on this list about SELINUX.
What's the 'proper' way to allow this to work?
>
>
>
> [root@goomba conf.d]# service httpd start Starting httpd: httpd:
> Syntax error on line 221 of /etc/httpd/conf/httpd.conf: Syntax error
> on line 1 of /etc/httpd/conf.d/weblogic.conf: Cannot load
> /opt/WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/lib/mod_wl.so into
> server:
> /opt/WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/lib/mod_wl.so: cannot
> open shared object file: Permission denied
>                                                            [FAILED]
> [root@goomba conf.d]# ls -l
> /opt/WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/lib/mod_wl.so
> -rwxr-xr-x. 1 root root 337639 Dec  2 05:03
> /opt/WLSPlugin11g-64bit-Apache2.2-linux64-x86_64/lib/mod_wl.so
> [root@goomba conf.d]# grep enforcing /etc/selinux/config #
> enforcing - SELinux security policy is enforced.
> #     permissive - SELinux prints warnings instead of enforcing.
> SELINUX=enforcing
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug

--
Chuck Frain
GPG Key: B2420431
http://www.chuckfrain.net

_______________________________________________
Novalug mailing list
Novalug@calypso.tux.org
http://calypso.tux.org/mailman/listinfo/novalug



More information about the Novalug mailing list