search for: system_u

[root at ipa tftpboot]# semanage fcontext -l | grep tftp /tftpboot directory system_u:object_r:tftpdir_t:s0 /tftpboot/.* all files system_u:object_r:tftpdir_t:s0 /usr/sbin/atftpd regular file system_u:object_r:tftpd_exec_t:s0 /usr/sbin/in\.tftpd regular file system_u:object_r:tftpd...

Hello, After updating to CentOS-5.7, I have a (small) problem : The context of /dev/megadev0 is now defined (in /etc/selinux/targeted/contexts/files/file_contexts) as system_u:object_r:removable_device_t:s0. This cause smartmontools to fail : avc: denied { read write } for pid=2847 comm="smartd" name="megadev0" dev=tmpfs ino=8284 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=chr_file Chan...

...images out of /var/lib/libvirt/images/. http://libvirt.org/drvqemu.html#securityselinux is saying that "If attempting to use disk images in another location, the user/administrator must ensure the directory has be given this requisite label. Likewise physical block devices must be labelled system_u:object_r:virt_image_t.". So did I: [root at vpl2 ~]# ls -dlZ /home/aik/virtimg /var/lib/libvirt/images drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /home/aik/virtimg drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images [root at vpl2 ~]# ls -lZ /home/aik...

...quota.user [root at CentOS active]# restorecon /var/spool/cron/aquota.user restorecon:? Warning no default label for /var/spool/cron/aquota.user Semanage reports this [root at CentOS active]#? semanage fcontext -l|grep quota /a?quota\.(user|group)???????????????????????????? regular file?????? system_u:object_r:quota_db_t:s0 /boot/a?quota\.(user|group)??????????????????????? regular file?????? system_u:object_r:quota_db_t:s0 /etc/a?quota\.(user|group)???????????????????????? regular file?????? system_u:object_r:quota_db_t:s0 /sbin/quota(check|on)????????????????????????????? regular file?????? sy...

I am installing a new Samba 4.2 Active Directory server on CentOS 7. I followed the Wiki instructions on how to create the server. I am using sernet-samba 4.2 binaries. Everything seems to be OK on the Linux side but I cannot get any windows client to successfully join the domain. Each attempt returns the following error message "RPC Server in not available". Below are the config file

Hi, since 4.12 Samba SELinux context for /var/run/samba is not correct anymore: ``` root at files:~ # ls -la -Z /var/run/samba/ total 12 drwxr-xr-x. 5 root root system_u:object_r:var_run_t:s0 160 Apr 3 20:42 . drwxr-xr-x. 30 root root system_u:object_r:var_run_t:s0 1000 Apr 3 18:39 .. drwxr-xr-x. 3 root root system_u:object_r:var_run_t:s0 60 Apr 3 18:39 ncalrpc drwxr-xr-x. 2 root root system_u:object_r:var_run_t:s0 60 Apr 3 18:39 nmbd -rw-r--r--. 1...

Hi all, I have some AVC in the logs and wonder how to resolve this: Under EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs. # tail -1 /etc/fstab tmpfs /var/lib/php/session tmpfs defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0" 0 0 # df -a |grep php tmpfs 16384 0 16384 0% /var/lib/php/session # ls -laZ /var/lib/php/session insgesamt 0 drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24. Jul 15:36 . drwxr-xr-x. 6 root root system_u:object_...

...r the system has come up completely it works fine. Here are all the messages from /var/log/messages that are SElinux related: May 28 21:39:15 srsblnfw01 kernel: audit(1180381151.395:10): avc: denied { use } for pid=3012 comm="openvpn" name="null" dev=tmpfs ino=1396 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=fd May 28 21:39:15 srsblnfw01 kernel: audit(1180381151.395:11): avc: denied { use } for pid=3012 comm="openvpn" name="null" dev=tmpfs ino=1396 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:p...

...es until you confirm that you've > found one (or a minimal combination) of rules that is causing dovecot > to crash and log a backtrace. Here are the messages I got: type=AVC msg=audit(1493361695.041:49205): avc: denied { rlimitinh } for pid=3047 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361695.041:49205): avc: denied { siginh } for pid=3047 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_cle...

...to KVM guest (whole disks, not partitions; needed to use zfs (zfsonlinux) benefit features). Problem is that disks (files in /dev) which attached to KVM guest has SELinux context which inaccessible from context of smartd process. [root at srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu system_u:obj...

...;-) [0] https://bugzilla.redhat.com/show_bug.cgi?id=429252 [1] https://www.centos.org/forums/viewtopic.php?t=21040 type=AVC msg=audit(1393980136.848:15): avc: denied { add_name } for pid=2646 comm="zebra" name="zebra.conf.CxNsyz" scontext=root:system_r:zebra_t:s0 tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir type=SYSCALL msg=audit(1393980136.848:15): arch=40000003 syscall=5 success=no exit=-13 a0=8512960 a1=c2 a2=180 a3=1e6a6 items=0 ppid=1 pid=2646 auid=0 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) ses=1 comm="zebra" exe=&quo...

...isk images. It even accepts addition of disk images of other guest running on the host. Steps followed to create this scenario : Started two VMs with following security configurations: vm1: <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c219,c564</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c219,c564</imagelabel> </seclabel> vm2 : <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c122,c658...

.../usr/bin/xauth nmerge - But when SELinux is in enforcing mode on Server, the commands fail with this message : bash: /usr/bin/xauth: Permission denied and /var/log/audit/audit.log shows the following errors : type=SELINUX_ERR msg=audit(1326381080.364:610): security_compute_sid: invalid context system_u:system_r:xauth_t:s0-s0:c0.c1023 for scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=process type=AVC msg=audit(1326381080.364:610): avc: denied { write } for pid=3487 comm="xauth" path="pipe:[21744]" dev=pipefs ino=217...

On Tue, Mar 14, 2017 at 02:46:19PM -0400, Ron Wheeler wrote: > https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html > > If disabling Selinux solves your problem, then your problem may be related > to Selinux. > If it does not change yout problem, you may want to look

I'm trying to set the context on an nfs mounted /home. I believe exactly like in Redhat's Deployment Guide at http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/ch45s02s03.html On my system running CentOS 5.2: $ ls -alZ /home drwxr-xr-x root root system_u:object_r:home_root_t . drwxr-xr-x root root system_u:object_r:root_t .. $ mount -t nfs -o context=user_u:object_r:user_home_dir_t \ server001a:/vol/vol01/home /home $ ls -alZ /home drwxrwxr-x root root system_u:object_r:nfs_t . drwxr-xr-x root root...

...3002F7573722F73686172652F746F722F6465666175 6C74732D746F727263002D66002F6574632F746F722F746F727263002D2D76657269667 92D636F6E666967 type=PATH msg=audit(1539540150.692:60570): item=0 name="/var/lib/tor/hidden_service/" inode=201616393 dev=fd:02 mode=040700 ouid=494 ogid=490 rdev=00:00 obj=system_u:object_r:tor_var_lib_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1539540150.692:60570): cwd="/" type=SYSCALL msg=audit(1539540150.692:60570): arch=c000003e syscall=2 success=no exit=-13 a0=562d3767da80 a1=20000 a2=0 a3=1 it...

...AVC in the logs and wonder how to resolve this: Under >> EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs. >> >> >> # tail -1 /etc/fstab >> tmpfs /var/lib/php/session tmpfs >> defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0" >> >> 0 0 >> >> # df -a |grep php >> tmpfs 16384 0 16384 0% /var/lib/php/session >> >> # ls -laZ /var/lib/php/session >> insgesamt 0 >> drwxrwx---. 2 root apache system_u:object_r:htt...

On 04/26/2017 12:29 AM, Robert Moskowitz wrote: > But the policy generates errors. I will have to submit a bug report, > it seems A bug report would probably be helpful. I'm looking back at the message you wrote describing errors in ld-2.17.so. I think what's happening is that the policy on your system includes a silent rule that somehow breaks your system. You'll need

...ar 15 09:39 /var/lib/asterisk/astdb.sqlite3 > > > [root at localhost ~]# tail -f /var/log/audit/audit.log > type=AVC msg=audit(1489588773.253:1171): avc: denied { read } for pid=3838 comm="asterisk" name="astdb.sqlite3" dev="dm-0" ino=100884225 scontext=system_u:system_r:asterisk_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file > type=SYSCALL msg=audit(1489588773.253:1171): arch=c000003e syscall=2 success=no exit=-13 a0=aa5080 a1=80000 a2=1a4 a3=aa5080 items=0 ppid=1485 pid=3838 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0...

Hi?all? the problem came out when selinux was enforced in targeted+MCS I start lxc through virsh???virsh -c lxc:/// start instance-00004bd6? 1. When selinux is Permissive?lxc start is ok The result of ?Ps auxZ? is? system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 root 19218 0.0 0.0 47624 1244 ? Ss 15:26 0:00 /usr/libexec/libvirt_lxc --name system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19219 0.3 0.0 19276 1532 ? Ss 15:26 0:00 /sbin/init system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19406 0.0 0.0 1774...