Displaying 15 results from an estimated 15 matches for "sysfs_t".
Did you mean:
sysfs
2014 Dec 05
2
Postfix avc (SELinux)
...there is but. . .
>>
> Anyone see any problem with generating a custom policy consisting of the
> following?
>
> grep avc /var/log/audit/audit.log | audit2allow
>
>
> #============= amavis_t ==============
> allow amavis_t shell_exec_t:file execute;
> allow amavis_t sysfs_t:dir search;
>
> #============= clamscan_t ==============
> allow clamscan_t amavis_spool_t:dir read;
In the latest rhel6 policies amavas_t and clamscan_t have been merged
into antivirus_t? Is you selinux-policy up 2 date?
> #============= logwatch_mail_t ==============
> allow logwa...
2020 Feb 26
3
CentOS 7 : SELinux trouble with Fail2ban
...9;f2b/server' --raw | sudo audit2allow -M my-f2bserver
> $ sudo semodule -i my-f2bserver.pp
>
> I'm not sure with SELinux.
https://bugzilla.redhat.com/show_bug.cgi?id=1777562
This bug was posted earlier. Sadly, it was closed WONTFIX, but the policy you need is:
allow fail2ban_t sysfs_t:file { getattr open read };
allow fail2ban_t sysctl_net_t:dir { search };
allow fail2ban_t sysctl_net_t:file { getattr open read };
Honestly, if this really affects all users of fail2ban, I?ll probably push back on the ticket to get it updated. I?ve successfully had the policy updated to handle i...
2014 Dec 12
0
More avc's wrt to email
...amav I seem to be detecting
more avc's. It may be that it is because I am looking for them more
frequently but it seems to me that something has happened external to my
control.
The most recent things I see are these:
audit2allow -l -a
#============= amavis_t ==============
allow amavis_t sysfs_t:dir read;
allow amavis_t sysfs_t:file open;
#============= clamscan_t ==============
#!!!! The source type 'clamscan_t' can write to a 'dir' of the following types:
# clamscan_tmp_t, clamd_var_lib_t, tmp_t, root_t
allow clamscan_t amavis_spool_t:dir write;
#============= postfix_...
2020 Apr 09
2
fail2ban firewalld problems with current CentOS 7
...garding selinux and fail2ban.
After several iterations with fail2ban restart, ausearch and audit2allow like this:
ausearch -c 'f2b/server' --raw | audit2allow -M f2b-addon
I came up with a SELinux module like that:
module f2b-addon 1.0;
require {
type sysctl_net_t;
type sysfs_t;
type fail2ban_t;
class file { getattr open read };
class dir search;
}
#============= fail2ban_t ==============
#!!!! This avc is allowed in the current policy
allow fail2ban_t sysctl_net_t:dir search;
#!!!! This avc is allowed in the current policy
allow fail2ban_t sysc...
2020 Apr 17
2
[SOLVED] fail2ban firewalld problems with current CentOS 7
On 13/04/20 1:30 pm, Orion Poplawski wrote:
> On 4/9/20 6:31 AM, Andreas Haumer wrote:
> ...
>> I'm neither a fail2ban nor a SELinux expert, but it seems the
>> standard fail2ban SELinux policy as provided by CentOS 7 is not
>> sufficient anymore and the recent updates did not correctly
>> update the required SELinux policies.
>>
>> I could report this
2014 Dec 04
3
Postfix avc (SELinux)
I am seeing these avc messages on a newly commissioned and up-to-date CentOs-6
virtual guest:
----
time->Thu Dec 4 12:14:58 2014
type=SYSCALL msg=audit(1417713298.610:60522): arch=c000003e syscall=2
success=no exit=-13 a0=7fd70e6de1e6 a1=0 a2=1b6 a3=0 items=0 ppid=2698
pid=4294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=2784 comm="trivial-rewrite"
2018 Mar 06
3
Re: virt-v2v 1.38 fails to convert .vmx VM: setfiles ... Multiple same specifications for /.*.
> -----Original Message-----
> From: Richard W.M. Jones [mailto:rjones@redhat.com]
> Sent: Tuesday, March 6, 2018 11:49 AM
> To: Зиновик Игорь Анатольевич <ZinovikIA@nspk.ru>
> Cc: libguestfs@redhat.com
> Subject: Re: [Libguestfs] virt-v2v 1.38 fails to convert .vmx VM: setfiles ...
> Multiple same specifications for /.*.
>
> On Tue, Mar 06, 2018 at 08:40:51AM
2020 Apr 09
2
fail2ban firewalld problems with current CentOS 7
...9;openvpn' started
[...]
BUT: SELinux complains about fail2ban:
type=AVC msg=audit(1586413496.76:53507): avc: denied { read } for pid=1324 comm="f2b/f.apache" name="disable" dev="sysfs" ino=1481 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
So it seems somehow fail2ban does not add the required ip sets correctly.
From what I see in firewalld logfile it seems these problems started after the last updates on April 2nd.
On this day I did a "yum update" which executed without errors and installed:...
2014 Dec 04
0
Postfix avc (SELinux)
...ded to handle this? I could not find one if there is but. . .
>
Anyone see any problem with generating a custom policy consisting of the
following?
grep avc /var/log/audit/audit.log | audit2allow
#============= amavis_t ==============
allow amavis_t shell_exec_t:file execute;
allow amavis_t sysfs_t:dir search;
#============= clamscan_t ==============
allow clamscan_t amavis_spool_t:dir read;
#============= logwatch_mail_t ==============
allow logwatch_mail_t usr_t:lnk_file read;
#============= postfix_master_t ==============
allow postfix_master_t tmp_t:dir read;
#============= postfix_po...
2014 Dec 05
0
Postfix avc (SELinux)
...Anyone see any problem with generating a custom policy consisting of the
>> following?
>>
>> grep avc /var/log/audit/audit.log | audit2allow
>>
>>
>> #============= amavis_t ==============
>> allow amavis_t shell_exec_t:file execute;
>> allow amavis_t sysfs_t:dir search;
>>
>> #============= clamscan_t ==============
>> allow clamscan_t amavis_spool_t:dir read;
> In the latest rhel6 policies amavas_t and clamscan_t have been merged
> into antivirus_t? Is you selinux-policy up 2 date?
Yes, everything is up-to-date as of the time...
2015 Oct 27
0
CentOS-6.6 SELinux questions
...ailman mailing lists. It also has a slave
named service.
while tracking down a separate problem I discovered these avc
anomalies and ran audit2allow to see what was required to eliminate
them. All the software is either from CentOS or EPEL.
#============= amavis_t ==============
allow amavis_t sysfs_t:dir open;
#============= clamd_t ==============
allow clamd_t sysctl_vm_t:dir search;
#============= mailman_mail_t ==============
#!!!! The source type 'mailman_mail_t' can write to a 'dir' of the
following types:
# mailman_log_t, mailman_data_t, mailman_lock_t, mailman_archive_t...
2020 Feb 26
0
CentOS 7 : SELinux trouble with Fail2ban
...-M my-f2bserver
> > $ sudo semodule -i my-f2bserver.pp
> >
> > I'm not sure with SELinux.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1777562
> This bug was posted earlier. Sadly, it was closed WONTFIX, but the policy
> you need is:
>
> allow fail2ban_t sysfs_t:file { getattr open read };
> allow fail2ban_t sysctl_net_t:dir { search };
> allow fail2ban_t sysctl_net_t:file { getattr open read };
> Honestly, if this really affects all users of fail2ban, I?ll probably push
> back on the ticket to get it updated. I?ve successfully had the policy
&...
2014 Dec 11
0
CentOS-6 Another email related AVC
...ss for now by executing:
# grep amavisd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
[root at inet18 ~ (master #)]# grep amavisd /var/log/audit/audit.log | audit2allow
#============= amavis_t ==============
allow amavis_t shell_exec_t:file { read open };
allow amavis_t sysfs_t:file read;
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
C...
2009 Jul 10
6
DO NOT REPLY [Bug 6546] New: lremovexattr problems
https://bugzilla.samba.org/show_bug.cgi?id=6546
Summary: lremovexattr problems
Product: rsync
Version: 3.0.6
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P3
Component: core
AssignedTo: wayned@samba.org
ReportedBy: Dave@Yost.com
QAContact:
2020 Feb 26
5
CentOS 7 : SELinux trouble with Fail2ban
Hi,
Some time ago I had SELinux problems with Fail2ban. One of the users on this
list suggested that it might be due to the fact that I'm using a bone-headed
iptables script instead of FirewallD.
I've spent the past few weeks getting up to date with doing things in a more
orthodox manner. So currently my internet-facing CentOS server has a nicely
configured NetworkManager, and