Hacker News new | ask | show | jobs
by joseph 3427 days ago
I just ran into one yesterday. I was pulling my hair out because rsyslog wasn't forwarding messages to logstash. I checked and double checked my configurations, tried different settings, and it all looked correct but it still wouldn't work. Finally an strace of rsyslog showed permission denied when attempting to send a message. Aha, SELinux got me again.
2 comments
seanp2k2 3426 days ago
strace is seriously amazing for troubleshooting stuff that you can't just throw some debug print statements into. strace -f -e open -s 4096 -- whatever --foo is my typical usage of it (follow forks, only trace "open" calls (to see what a program might be trying to look for a thing), string size = 4096 so e.g. Paths don't get cut off, -- to say that you're done giving options to strace and all --options should now go to "whatever"). That + ps auxf | less and searching for a process to see how it fits into the tree + lsof -p [pid] + top and hitting c, 1, u (then typing the user of processes I'm interested in) or hitting < or > to change sort columns + netstat -lnp | grep LISTEN....are the basics of how i figure WTF is going on with a system I've just jumped onto. SELinux and systemd with the journal logging sometimes getting in the way of these flows unless you know what you're looking for and are vaguely aware of how they hook into things.
link
jeffgus 3427 days ago
Wouldn't it have been easier to check the audit.log? Pump out the contents to audit2allow and you will have a nice new config that would allow your setup. Heck, it would even tell you if there is already a boolean for that config.

I really don't see any reason to disable SELinux. Maybe back in RHEL5 days, but not since then. Just educate yourself on some tools. It really isn't that hard.

link
joseph 3427 days ago
Sure, it would have been easier for me to check the audit log, however the idea that it was an issue with SELinux didn't even cross my mind until I used strace. The vast majority of Linux systems I work on do not have it enabled.

You may not see a reason to disable SELinux, but not all Linux systems are RHEL, and don't have it enabled to begin with. I personally would not enable it on a system that did not design for it as a default.

link