search for: add_nam

SELinux is preventing 11-dhclient from add_name access on the directory chrony.servers.wlp8s0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that 11-dhclient should be allowed add_name access on the chrony.servers.wlp8s0 directory by default. Then you should report this as a bug. You can generate...

Just installed 7.2, and I'm seeing this - is this a bug in the policy? ************************** SELinux is preventing systemd-readahe from add_name access on the directory .readahead.new. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow systemd-readahe to have add_name access on the .readahead.new directory Then you need to change the label on .readahead.new Do # semanage fcontext -a -t FIL...

...t; type usr_t; type user_home_dir_t; type user_home_t; type var_log_t; class capability { sys_nice chown }; class file { append create execute execute_no_trans \ getattr ioctl link lock read rename setattr write unlink }; class dir { add_name getattr create read remove_name \ rename write search setattr rmdir }; class fifo_file { getattr write }; class filesystem getattr; class sock_file write; class unix_stream_socket { connectto getattr read write }; } #============= dovecot_t ==============...

...type dovecot_auth_t; type postgresql_port_t; type dovecot_t; type var_t; type postfix_virtual_tmp_t; class tcp_socket name_connect; class file { rename read lock create write getattr link unlink open append }; class dir { read write create add_name remove_name }; } #============= dovecot_auth_t ============== #!!!! This avc is allowed in the current policy allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect; #============= dovecot_t ============== #!!!! This avc is allowed in the current policy allow dovecot_t postfix_virtual_...

...lass tcp_socket { name_bind name_connect }; class file { rename execute read lock create ioctl execute_no_trans write getattr link unlink }; class sock_file { setattr create write getattr unlink }; class lnk_file { read getattr }; class dir { search setattr read create write getattr remove_name add_name }; } #============= clamd_t ============== allow clamd_t proc_t:file { read getattr }; allow clamd_t sysctl_kernel_t:dir search; allow clamd_t sysctl_kernel_t:file read; allow clamd_t var_t:dir read; allow clamd_t var_t:file { read getattr }; #============= dovecot_auth_t ============== allow do...

i''m doing a site for someone that has a form set up to collect contact information from the user. i installed the vpim gem and was hoping to give my client a way to download all of the contact''s information as a vcard. using the examples, i was able to get it working in ruby, but i''m not quite sure how to generate and download a vcard on the fly. has anyone done

...tgresql_port_t; > type dovecot_t; > type var_t; > type postfix_virtual_tmp_t; > class tcp_socket name_connect; > class file { rename read lock create write getattr link unlink > open append }; > class dir { read write create add_name remove_name }; > } > > #============= dovecot_auth_t ============== > > #!!!! This avc is allowed in the current policy > allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect; > > #============= dovecot_t ============== > > #!!!! This avc is allowed in the c...

...semanage_link_sandbox: Link packages failed semodule: Failed! # cat nagios.te module nagios 1.0; require { type nagios_t; type sbin_t; type ping_t; type initrc_var_run_t; type var_t; type httpd_nagios_script_t; class dir { read write search add_name remove_name }; class fifo_file { write getattr read create }; class file { rename setattr read create write getattr unlink }; } #============= httpd_nagios_script_t ============== allow httpd_nagios_script_t var_t:fifo_file { write getattr }; allow httpd_nagios_script_t var_t:file...

...noxattrfs : dir { getattr search open } ; [ samba_export_all_rw ] DT allow smbd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ samba_export_all_rw ] DT allow smbd_t non_security_file_type : dir { ioctl read write getattr lock add_name remove_name search open } ; [ samba_export_all_rw ] DT allow smbd_t non_security_file_type : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ samba_export_all_rw ] DT allow nmbd_t noxattrfs : file { ioctl read getattr lock open } ; [ samba_export_all_rw ]...

...inux enforcing back on again. I've done the usual- - grab a chunk of the audit.log that is relevant to all the actions that would be denied. - do 'cat audit.log | audit2allow -M amavis' to generate the module - amavis.te looks like: module amavis 1.0; require { class dir { add_name getattr read remove_name search write }; class file { create execute execute_no_trans getattr lock read rename unlink write }; class filesystem getattr; class lnk_file read; type amavis_t; type fs_t; type mqueue_spool_t; type sbin_t;...

...rule to allow clamav to access amavis files # and writes back ok file and may create temp folder module clamscanamavis 1.0; require { type clamscan_t; type amavis_var_lib_t; class file {getattr read open write create unlink}; class dir {search read getattr open write add_name create setattr remove_name rmdir}; } allow clamscan_t amavis_var_lib_t:file {getattr read open write create unlink}; allow clamscan_t amavis_var_lib_t:dir {search read getattr open write add_name create setattr remove_name rmdir}; -EOF- * checkmodule -M -m -o se_clamav_amavis.mod se_clamav_amavis...

...ccept read write }; class capability { sys_resource sys_ptrace }; class file { entrypoint open create relabelfrom relabelto getattr setattr read write append ioctl lock rename link unlink }; class lnk_file { getattr read }; class udp_socket name_bind; class dir { getattr setattr add_name remove_name search open read write ioctl lock }; } #============= httpd_t ============== allow httpd_t port_t:udp_socket name_bind; allow httpd_t proc_net_t:file { read getattr open }; allow httpd_t bin_t:file entrypoint; allow httpd_t passenger_t:process sigchld; allow httpd_t passenger_t:uni...

...ys_script_t tclass=capability audit(1149668677.209:14): avc: denied { write } for pid=29159 comm="sendmail" name="input" dev=dm-3 ino=1335707 scont ext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir audit(1149668677.209:15): avc: denied { add_name } for pid=29159 comm="sendmail" name="1FntLB-0007aJ-6i-D" scontext=r oot:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir Maybe there should be a context change to some mta specific context diuring the execution of /usr/sbin/sendmail. ls -Z /usr/...

...awesome if upstream included policies for quagga since quagga is software they package. Maybe Dan Walsh will hop in on this. ;-) [0] https://bugzilla.redhat.com/show_bug.cgi?id=429252 [1] https://www.centos.org/forums/viewtopic.php?t=21040 type=AVC msg=audit(1393980136.848:15): avc: denied { add_name } for pid=2646 comm="zebra" name="zebra.conf.CxNsyz" scontext=root:system_r:zebra_t:s0 tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir type=SYSCALL msg=audit(1393980136.848:15): arch=40000003 syscall=5 success=no exit=-13 a0=8512960 a1=c2 a2=180 a3=1e6a6 items=0 ppid=1 p...

...this: > > > > [root@ selinux]# cat mkhomedir_nfs.te > > > > module mkhomedir_nfs 1.0; > > > > require { > > type oddjob_mkhomedir_t; > > type nfs_t; > > class file { write create open setattr }; > > class dir { write create add_name setattr }; > > } > > > > #============= oddjob_mkhomedir_t ============== > > > > #!!!! This avc is allowed in the current policy > > allow oddjob_mkhomedir_t nfs_t:dir { write create add_name setattr }; > > > > #!!!! This avc is allowed in the curre...

...And my local.te contains (selected portions only for now): module local 1.1; require { ... <various normal requires> ... } type blast_req_t,file_type; allow httpd_sys_script_t blast_req_t:file { create getattr write}; allow httpd_sys_script_t blast_req_t:dir { read getattr lock search ioctl add_name write }; ...etc So, looks like I need to do something else, possibly in my local.fc. However, my google-fu is not strong enough to find any actual examples of successful custom file context type creation/installation using selinux modules. I suspect something simple, but haven't a clue wha...

...khomedir,oddjob_mkhomedir_t,nfs_t,file,setattr I then created the module and the te file says this: [root@ selinux]# cat mkhomedir_nfs.te module mkhomedir_nfs 1.0; require { type oddjob_mkhomedir_t; type nfs_t; class file { write create open setattr }; class dir { write create add_name setattr }; } #============= oddjob_mkhomedir_t ============== #!!!! This avc is allowed in the current policy allow oddjob_mkhomedir_t nfs_t:dir { write create add_name setattr }; #!!!! This avc is allowed in the current policy allow oddjob_mkhomedir_t nfs_t:file { write create open setattr };...

I have been getting the following on my new mailserver: Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry They go away when I setenforce 0. So I googled dovecot mysql selinux and the only worthwhile hit was:

...t. Eg # sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp allow ftpd_t samba_share_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; allow ftpd_t samba_share_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; allo...

...this conversation over to vpim-talk, so we don''t take up the attention of the entire ruby world. :-) Here''s an example of encoding a multiline street with vpim-0.360: % cat ex_multiline.rb require ''vpim/vcard'' card = Vpim::Vcard::Maker.make2 do |maker| maker.add_name do |name| name.prefix = ''Dr.'' name.given = ''Jimmy'' name.family = ''Death'' end maker.add_addr do |addr| addr.preferred = true addr.location = ''work'' addr.street = "12 Last Row,\n13th Section&quo...