On 4/27/2011 11:42 AM, Thomas Harold wrote:
> On 4/27/2011 9:16 AM, Thomas Harold wrote:
>> - SELinux is running, but there are no denied messages in
>> /var/log/audit/audit.log and no setroubleshooting alerts in
>> /var/log/messages either.
>>
>
> Well, interestingly enough it is SELinux getting in the way, but not
> logging anything. Temporarily disabling SELinux suddenly makes it work.
>
> # echo 0 > /selinux/enforce
> (things now work)
>
> So now I need to figure out why nothing showed up in audit.log.
>
Turns out that it was a SELinux boolean that had not yet been turned on
(specifically httpd_can_network_connect_db).
# getsebool -a | grep 'http'
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_cvs_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
# setsebool httpd_can_network_connect_db on
(Lesson learned, when all else fails, start checking assumptions...)
