SELinux at last

Welp, after my training at LISA I finally got to start using SELinux. I was setting up a CentOS server with Mascot, search engine software for mass spectrometer software, and I thought I'd give it a try.

Mostly it turned out to be simple -- semanage fcontext to add some new httpd -friendly locations where the software had been installed, restorecon to set the labels. One thing that did take some tracking down was digging up exactly what this meant:

type=AVC msg=audit(1259021236.914:280): avc:  denied  { execstack}
for  pid=6845 comm="ld-linux-x86-64"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process

This happened when the install script tested Perl to make sure everything was okay.

As described by Dan Walsh and Ulrich Drepper, this means that the Perl executable was marked as needing an executable stack. Not only is this a Bad Thing(tm), it's not usually necessary these days (what with the Internet and all). execstack -c cleared the flag, and things appeared to work after that; it was right at the end of the day, though, so it's possible problems will show up today.

And then when I got home...it was wonderful. The kids'd had two-hour naps each, there was a wild rice casserole in the oven (The Cheese Fairy is always amazing), and my parents had sent the kids a calendar full of pictures of Canadian wildlife. I got to tell Trombone how the beaks of different birds (great blue heron, snowy owl, cardinal) were adapted for eating different things; I think he was interested, and that was just flat out fascinating. Ah, domestic bliss.