logs archiveIRC Archive / Freenode / #centos / 2015 / July / 10 / 1
natetg
Good morning. Uploading a file via PHP and then moving it to it's proper location with move_uploaded_file() keeps the initrc_tmp_t SELinux filecontext. I've added a fcontext policy on the destination directory to set type to httpd_sys_content_t, but in my research it seems that mv does not re-evaluate the file type. Is this correct? What is the proper way to address this?
TrevorH
copy it and delete the original would be my guess
Socket-
Hello, can anyone help me identify why yum update fails? http://pastebin.centos.org/29536/
TrevorH
because EPEL's mirrors are creamcrackered *again*. Run yum clean all and try again and if it still fails report in #epel
[GoerN]
Zerberus: oh well, than it is just a confusion on my side&
Zerberus: and that NetworkManager sets the type to ethernet& is that ok too?
Zerberus
should be wifi
[GoerN]
Zerberus: ja, thought so, I cant set the wpa psk due to ethernet type
TrevorH
I've seen reports of that before and never found a solution
[GoerN]
TrevorH: that NM uses ethernet instead of wifi?
         

TrevorH
that something in that realtek kernel module reports itself back as wired not wireless
I don't think it's an NM problem
though since no-one has yet got to the bottom of it, I suppose it might be
[GoerN]
TrevorH: i see :(
yo61
I'm having trouble using mock on CentOS 7. My builds are failing with:
/bin/rpm: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory
PryMar56
yo61, BuildRequires zlib-devel
TrevorH
that looks more serious than just a missing BuildReq
is this right at the start?
yo61
https://www.irccloud.com/pastebin/SULGqUgA/
That's trying to build a SRPM from a spec file
Have deleted the mock cache and am trying again
Hmm, something odd going on. I see a similar error severla times during the re-creation of the mock cache, and it's installing plexmediaserver (!). I suspect I may have a rogue repo in there...
TrevorH
I think so
haroldjfks
hello :-) is there an app to monitor outgoing (or even incoming) http(s) connections which allows to see the entire url (http://....) and IP and such like that... ? thanks
occupant
well there's no viewing the URL of an HTTPS connection
haroldjfks
and for http ? possible?
TrevorH
http is plaintext so you can just sniff network traffic and see it
occupant
not sure what you'd really want to use for that though.
haroldjfks
ok, but is there an app which does it all ? I should need to see any outgoing IP and if the protocol is http even the entire url... possible or not? thanks
maybe wireshark ?
TrevorH
you could use a proxy like squid and read its logs or you can just sniff plaintext and wireshark will probably display the urls for you
wireshark could do it for https too if you just happened to have the certificate that was used ;)
haroldjfks
@TrevorH: thanks
uid1
Any idea(s) what the latest btrfs versions are under 6.6 and 7.x ? Any repos reliably add this functioinality?
TrevorH
since it's a kernel module you can't really tell since the version number it gives you modinfo is the kernel version
you could read rpm -q --changelog kernel-3.10.0-229.4.2.el7 | grep -i btrfs | less if you're that interested
(Action) shuts down that vm to get the newer kernel booted
uid1
I switched away from CentOS on this box a while back, have some things on a btrfs partition, wish to switch back to CentOS and still access the btrfs partition. Last time I looked (6.5 I think), btrfs was at version 0.2 or so. "btrfs --version" is showing 3.12 on this box at the moment.
TrevorH
btrfs-progs.x86_64 3.16.2-1.el7
but that's just the userspace side, the important bit is presumably the kernel module
uid1
Excellent, thank you TrevorH
         

TrevorH
0.20-0.2.git91d9eec.el6
on el6
uid1
Right, that's what I expected on el6
TrevorH
btrfs even in el7 is tech preview which means if it eats your data you get to keep everything that's left
uid1
Yeah - frequent backups to ext3 drive for me.
goldstar
I am trying to login my centos box via console as root and keep getting "login: pam_selinux(login:session): Error! Unable to set root key creation context root:staff_r:oddjob_mkhomedir_t:s0-s0:c0.c1023."
mrconfused
hi guys
i'm confused about selinux
goldstar
looks like an selinux issue but I cant even get onto the box to sort the damn thing out
mrconfused
I have it disabled and yet when i dod sestatus it shows enabled
TrevorH
mrconfused: then it's not disabled
mrconfused
@TrevorH when i restart my box and type sestatus it shows diabled
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/sysconfig/selinux && cat /etc/sysconfig/selinux setenforce 0 | echo "already disabled"
TrevorH
it can't go from disabled to enabled without a reboot
and you just said that sestatus says it's ENabled
and really, you shouldn't disable it at all. Learn how to use it instead
@selinux
centbot
Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux | http://wiki.centos.org/TipsAndTricks/SelinuxBooleans | http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/ | http://www.youtube.com/watch?v=bQqX3RWn0Yw | http://opensource.com/business/13/11/selinux-policy-guide
TrevorH
goldstar: are you able to restart the box?
goldstar
any thoughts on my issue ? This happened when I updated the selinux policies from the updates repo
TrevorH: I sure can but am quite worried it won't even start again; this is the load balancer
TrevorH
goldstar: that might be true but I expect it would if you passed some kernel parameters to it
from the info you gave I don't think there is enough to tell what the problem is. Can you login remotely at all?
mrconfused
TrevorH: When we launched nodes in the past, it was disabled. Since then we added s3fs and now when we launch nodes and run sestatus it shows on but the configs show disabled. When I do a reboot it shows disabled
s3fs and fuse
goldstar
TrevorH: nope; trying to connect via ssh gives me "sshd[13269]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument" and console gives you the error above
TrevorH
mrconfused: it's not possible to go from disabled to enabled (or vice versa) without a reboot
goldstar: is that ssh as root or as a normal user?
goldstar
TrevorH: ssh as another user; root ssh is disabled
mrconfused
TrevorH: is that for all version of centos ? I just learned that we went from Centos6.X to Centos7
TrevorH
yeah, that sounds ill
mrconfused: yes
you can go from enforcing to permissive and back with setenforce but if it's _disabled_ then it is disabled
DrJ
when I ssh in I only see user@server in the prompt
when the hostname is actually server.domain.com
I want to see the whole thing
goldstar
TrevorH: any suggestions ? I have noticed over the last 1/2 years that selinux policy updates have been very fickle and have broken my systems some ocassions; that's obviously problematic
TrevorH
goldstar: they shouldn't break anything if you use semanage to apply new rules and not use chcon
goldstar: my best current suggestion would be to reboot the box and hit esc at the grub prompt, edit the kernel command line and append enforcing=0 so it comes up in permissive so you can look at logs and file contexts in more detail
then once you're in (fingers crossed!) hit the selinux mailing list and cry for help
goldstar
TrevorH: I'm not applying any new rules though ? It looks like I will have to relabel/restorecon everytime I update polices which is a right bane
TrevorH
or #selinux
do you ever use chcon to change file contexts?
goldstar
TrevorH: Im spinning up a backup and will try it on that first; damn, forgot about the #selinux channel
TrevorH: never
TrevorH
what CentOS version is this?
goldstar
TrevorH: 6.6
TrevorH
was it installed recently?
goldstar
TrevorH: nope; over a year old
TrevorH
I ask because one of the more recent versions had a bug in the installer that installed one of the selinux packages and tried to run its postscript but a dependent package was not installed at that point so the postscript failed to do what it should have done
goldstar
TrevorH: when was this?
TrevorH
don't remember if it was 6.6 or 6.5
goldstar
right;
TrevorH
but I think you'd know because when it did break later it was quite noticeable
and I don't think your current problem is that
goldstar
Yeh; never had this one before, a real nightmare scenario; the LB went into maintenance mode for 5 min and that's what triggered me to check what was going on
only to realise I couldn't even ssh into the box
TrevorH
is there a backup LB or is that it?
« prev 1 2 3 4 5 6 next »