Setting <span class="Apple-style-span" style="font-family: monospace; font-size: medium; white-space: pre; ">setenforce 0 is only active for the current running session of the server. The problem will be back after the reboot.</span><div>
<font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">While that is fine to temporarily do that to see if SELinux is the thing blocking, it is generally very bad to use that to solve the problem and you definitely wouldn't want to have it like that on a production environment.</span></font></div>
<div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium; ">I have been getting more and more frustrated with SELinux "silently" blocking things. I really need to take some time and understand how to properly make use of it and work with it. Command restorecon can be a life saver. Look up how to use it.</span></font></div>
<div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium; "><br></span></font><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">A good quote from another formu. It is about an apache cgi script but the SELinux stuff is very relevant:</span></font></div>
<div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;"><br></span></font></div></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">It is a security risk that someone could alter the script and do
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">something you didn't intend as root.
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">I would suggest *at*most* setting "SELINUX=permissive" in
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">/etc/selinux/config. Then you'll still have a log of all the things
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">that shouldn't have happened, if you ever need to look.
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">A better option would be extract the AVC denials from the log file and
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">run them through audit2allow to create a policy you could incorporate
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">into the running SELinux policy. Do that as often as you need to
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">address all the denials that are stopping your script from working.
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">The best option is, as others posters have suggested, figure out why
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">your application architecture is screwed up so much that it only works
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">if it runs as root, then fix it. SELinux basically fulfills two
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">security functions. It stops bad people from doing bad things, and it
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">stops foolish people from doing stupid things. Sometimes it needs
</span></font></div></div><div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre; font-size: medium;">tuning, but if you just shut it off, it can't do anything for you.</span></font></div>
</div></blockquote><div><div><br><div class="gmail_quote">On Tue, Sep 14, 2010 at 3:44 AM, ha do <span dir="ltr"><<a href="mailto:haloha201@yahoo.com">haloha201@yahoo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
if someone else got the same problem with me, to solve the issue please follow<br>
the link<br>
<br>
<a href="http://lists.opensips.org/pipermail/users/2010-June/013139.html" target="_blank">http://lists.opensips.org/pipermail/users/2010-June/013139.html</a><br>
<br>
Thank you<br>
<font color="#888888">Ha`<br>
</font><div><div></div><div class="h5"><br>
<br>
<br>
----- Original Message ----<br>
From: ha do <<a href="mailto:haloha201@yahoo.com">haloha201@yahoo.com</a>><br>
To: OpenSIPS <<a href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>><br>
Sent: Tue, September 14, 2010 11:12:47 AM<br>
Subject: [OpenSIPS-Users] get error with opensip-cp on centos 5<br>
<br>
Hi all<br>
<br>
i try to use the opensips-cp 4:<br>
i login the the web page <a href="http://192.168.1.100/cp" target="_blank">http://192.168.1.100/cp</a> successfull<br>
<br>
the menu Admin + User are working properly<br>
but the system menu does not work<br>
i get the error on the webpage:<br>
<br>
sorry -- cannot open write fifo<br>
<br>
and this is the error in debug message :<br>
Sep 14 00:10:42 localhost kernel: type=1400 audit(1284437442.630:49): avc:<br>
denied { getattr } for pid=2093 comm="httpd" path="/tmp/opensips_fifo"<br>
dev=dm-0 ino=884744 scontext=root:system_r:httpd_t:s0<br>
tcontext=root:object_r:tmp_t:s0 tclass=fifo_file<br>
<br>
<br>
i did set fifo_mode, 0666 in opensips.cfg<br>
<br>
please help,what should i do to resolve problem<br>
<br>
Thank you<br>
Ha`<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br></div></div>