Annoyance with SELinux

2007/05/29 14:26:00

If you don’t know what SELinux is, start here.

I just spent the last hour or two trying to figure out why syslog would not log anything on one of my machines. It turns out I must’ve copied an updated /etc/services file from /tmp to /etc. This would normally be fine, but the file did not contain the correct context. Instead, copying it gave it the context of the /tmp directory.

Hence, syslog would not start. Because syslog is where SELinux logs its errors, I couldn’t see any errors to lead me to figure out what the problem was.

Once I changed SELinux from enforcing to permissive with:

/usr/sbin/setenforcing Permissive

I could see that syslog started fine and was telling me that the context on /etc/services was out of wack.

Ergh…

I wonder if there is some way I can make sure this doesn’t happen again?

I guess I could use the setfiles command frequently to ensure that all of the file contexts are set correctly.

Sheesh.

How was your day? :-)

Centralized Authentication

2007/05/14 00:48:00

Yip, I’m still alive.

I am a computer geek.

I do computer geek things.

After all of the work on the house for the past few months, I needed to engage in a geeky project, something that would benefit my network. Something that has plagued me since my server rebuild has been the lack of a centralized authentication scheme for my network. LDAP, of course, is the choice I had made, but setting it up and understanding what was going on would take longer than setting it up.

Tonight, I have published a brief article entitled “SSL LDAP Server on CentOS 5” which details how to set up the LDAP server portion of the authentication system. Soon I will include an article on the client end. One will be for CentOS and the final one will be for Windows, which can use pGina to load an LDAP module and authenticate (I found that to be very cool).

It wasn’t enough for me to just have centralized authentication. If that were all I needed, I would have used NIS. I wanted encryption so that any rogue program or user on my small home network would not be able to sniff my passwords off the wire. Paranoid? Yes, yes I am, but not enough to use Kerberos yet. I also wanted something that pGina would work with. Many factors had to be considered for my authentication scheme, including brief experiments with Samba and Microsoft Active Directory.

I also wanted to know how this all worked for work. What good is a security person who doesn’t understand how the technology works? I don’t know. There are too many of those. Maybe I can make things better by trying to be one that does, in some way, know how the tech works. It’s a goal. :-)