[OpenSIPS-Users] get error with opensip-cp on centos 5

Dave Singer dave.singer at wideideas.com
Mon Sep 20 23:21:12 CEST 2010


Setting setenforce 0 is only active for the current running session of the
server. The problem will be back after the reboot.
While that is fine to temporarily do that to see if SELinux is the thing
blocking, it is generally very bad to use that to solve the problem and you
definitely wouldn't want to have it like that on a production environment.
I have been getting more and more frustrated with SELinux "silently"
blocking things. I really need to take some time and understand how to
properly make use of it and work with it. Command restorecon can be a life
saver. Look up how to use it.

A good quote from another formu. It is about an apache cgi script but the
SELinux stuff is very relevant:

It is a security risk that someone could alter the script and do
something you didn't intend as root.
I would suggest *at*most* setting "SELINUX=permissive" in
/etc/selinux/config. Then you'll still have a log of all the things
that shouldn't have happened, if you ever need to look.
A better option would be extract the AVC denials from the log file and
run them through audit2allow to create a policy you could incorporate
into the running SELinux policy. Do that as often as you need to
address all the denials that are stopping your script from working.
The best option is, as others posters have suggested, figure out why
your application architecture is screwed up so much that it only works
if it runs as root, then fix it. SELinux basically fulfills two
security functions. It stops bad people from doing bad things, and it
stops foolish people from doing stupid things. Sometimes it needs
tuning, but if you just shut it off, it can't do anything for you.


On Tue, Sep 14, 2010 at 3:44 AM, ha do <haloha201 at yahoo.com> wrote:

> if someone else got the same problem with me, to solve the issue please
> follow
> the link
>
> http://lists.opensips.org/pipermail/users/2010-June/013139.html
>
> Thank you
> Ha`
>
>
>
> ----- Original Message ----
> From: ha do <haloha201 at yahoo.com>
> To: OpenSIPS <users at lists.opensips.org>
> Sent: Tue, September 14, 2010 11:12:47 AM
> Subject: [OpenSIPS-Users] get error  with opensip-cp on centos 5
>
> Hi all
>
> i try to use the opensips-cp 4:
> i login the the web page http://192.168.1.100/cp successfull
>
> the menu Admin + User are working properly
> but the system menu does not work
> i get the error on the webpage:
>
> sorry -- cannot open write fifo
>
> and this is the error in debug message :
> Sep 14 00:10:42 localhost kernel: type=1400 audit(1284437442.630:49): avc:
> denied  { getattr } for  pid=2093 comm="httpd" path="/tmp/opensips_fifo"
> dev=dm-0 ino=884744 scontext=root:system_r:httpd_t:s0
> tcontext=root:object_r:tmp_t:s0 tclass=fifo_file
>
>
> i did set fifo_mode, 0666 in opensips.cfg
>
> please help,what should i do to resolve problem
>
> Thank you
> Ha`
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20100920/af5a26a3/attachment.htm 


More information about the Users mailing list