I don't know why SELinux problems seem so frustrating. The problem almost certainly is related to the fact that there is frequently no error message. This is exactly the problem I ran into while turning up a new Apache web server on Red Hat Enterprise Linux 6 (RHEL6) with SELinux enabled.
I feel a sense of pride when I think that I was involved in the development and maintenance of what was probably the first piece of software accepted into Debian which then had and still has direct up-stream support from Microsoft. The world is a better place for having Microsoft in it. The first operating system I ever ran on an 08086-based CPU was MS-DOS 2.x. I remember how thrilled I was when we got to see how my friend’s 80286 system ran BBS software that would cause a modem to dial a local system and display the application as if it were running on a local machine. Totally sweet.
When we were living at 6162 NE Middle in the nine-eight 292, we got an 80386 which ran Doom. Yeah, the original one, not the fancy new one with the double barrel shotgun, but it would probably run that one, too. It was also …
[Read more]The brief outage was due to a scheduled move of the servers to a separate rack and subnet dedicated to our work with the Center for Information Assurance & Cybersecurity (ciac) at the University of Washington Bothell (uwb), and a11y.com
I am currently exercising the new (to us) equipment and hope to winnow the less than awesome equipment over the next quarter. I spent the last six months finding the best in breed of the surplussed DL385 and DL380 chassis we (work) were going to have recycled. The team and I were able to find enough equipment to bring up one of each with eight and six gigs of memory, respectively. These will make excellent hypervisors for provisioning embedded instances of Slackware, Fedora, RHEL, CentOS, Debian, FreeBSD, OpenSolaris, OpenIndiana, FreeDOS, etc.
When I initially configured this xen paravirt environment, I failed to plan for integration with libvirt, so I am now re-jiggering the software bridges so …
[Read more]I see a lot of people coming by #centos and similar channels asking for help when they’re experiencing a problem with their Linux system. It amazes me how many people describe their problem, and then say something along the lines of, “and I disabled SELinux...”. Most of the time SELinux has nothing to do with the problem, and if SELinux is the cause of the problem, why would you throw out the extra security by disabling it completely rather than configuring it to work with your application?
If you're using a non-standard MySQL data directory on your Red Hat Enterprise Linux (RHEL) server, you may have seen an error like /usr/libexec/mysqld: Can't change dir to '/mysql_data/' (Errcode: 13). The key to fixing this problem is to ensure the new MySQL data directory has the proper SELinux security context. In my case: # […]
I ran into an interesting issue when installing Wordpress on my re-installed server, I could not get a database connection during installation. I added some debugging and discovered that I had a "Can't connect to MySQL server on" error returned after the call to mysql_connect() in PHP.
To check the source of the issue I then tried to connect on the command-line using the mysql client, which occurred successfully, confirming that I was using the correct credentials and host address (this was a remote MySQL server).
I next created a test PHP script with a simple mysql_connect() call, and executed it with "php test.php" from the command-line, which was also successful.
Finally I accessed test.php through a browser, where again the connection failed.
So I was dealing with a situation where it was Apache in particular that was unable to connect to the remote MySQL server. Thanks to …
[Read more]I’ve been working with a client recently who has SELinux on his servers. It has been quite a struggle sometimes.
My colleages tell me that SELinux has a pretty noticeable performance impact. I am not sure if we have benchmarks to support this; at any rate, the client said it’s OK, we’ll take the performance hit.
There [...]
We made a very significant announcement last week, of a collaboration with one of the most (if not the most) security sensitive institutions on earth, the United States government's National Security Agency. They've joined the burgeoning OpenSolaris community, to collaborate with Sun and other community members on the future of ultra-secure operating systems.
To put this in context, community engagement has always been one of the most important ways Sun innovates in the marketplace - we partner with those that have extreme demands (whether it's the world's largest supercomputing facility, or the world's most paranoid security professionals (no offense intended), or the world's largest archival storage facilities), and then we leverage that expertise to create products for the mass market. We let extreme customers teach …
[Read more]