blog/ archives/ 2016/ 08
SELinux and CentOS

Last days I have lost some hours debugging a interesting problem. After setting up RANCID a SVN repository and ViewVC, ViewVC did not show the SVN branch and changed configs etc. Initially I my thought was it is a syntax problem. Since the last CentOS installation I have made 5 years ago, many thing have changed. Mostly small things. Still it took me around 4h of working why ViewVC did not display the repository. The reason for it was SElinux which is enabled per default on Red Hat based distributions.

The failure message I have sighted after hours in /var/log/messages:

May 30 13:23:04 linux kernel: type=1400 audit(1464607384.915:4): avc: denied { getattr } for pid=930 comm="httpd" path="/var/rancid/CVS/format" dev=sda1 ino=263848 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Finally the SELINUX policy had to be changed from enforcing to disabled This is something I have not noticed since the last CentOS based system have been installing was CentOS 5. Looks the SELINUX policy for CentOS has been changed in that time.

Forcing gentoo to use certain DHCP client

While using $DHCPCLIENT on gentoo a certain host did not have additional search entries to lookup DNS domain names. The first thought was to edit the resolv.conf file by hand, well it did get overwritten by asking for a new IP address. Second solution was generatating a resolv.conf.head with proper serach settings. This has worked however the name resolution for additional DNS domain-search did not work properly. The system has been using following ebuild net-misc/dhcpcd (6.10.1{tbz2}): A fully featured, yet light weight RFC2131 compliant DHCP client - this sounds great lite weight and RFC compliant. After reading the manual I did not discover a option howto add additional DNS entries, or at least ignore setting the search variable. It would have worked out maybe with the resolv.conf.head setting. Next approach after a hour, installing the real ISC dhcp client. All right there are options to supersede some DNS search entries. Set and done. /etc/dhcp/dhcpclient.conf has been edited everything is set. Restarting the net.eth0 interface. Still the same. only 1 dns saerch entry found. The */etc/resolv.conf looks like this:

# Generated by udhcpc for eth0
domain sub.example.com
nameserver 192.0.2.1
nameserver 192.0.2.10

Highly suspicious I have thought, there is no udhcpc on the system. Not in /bin nor in /sbin. udhcpc is a part of busybox. So it looks like gentoo does not use the ISC DHCP client even if it is configured and installed. After asking on freenode on the #gentoo support channel, the solutuon is to configure following, to force the system using dhcpclient. Adding following entry to /etc/conf.d/net brought the solution:

modules_eth0="dhclient"

After restarting, the system had the right configuration. Usually udhcpc isused if neither dhclient nor dhcpcd are found on the system. I thought this might be worth sharing for you gentooers.