search for: audit2allow

...********************* If you believe that smtp should be allowed read write access on the 546AA6099F file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep smtp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp grep 546AA6099F /var/log/audit/audit.log | audit2why type=AVC msg=audit(1398199187.646:29332): avc: denied { getattr } for pid=23387 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 ino=395679 scontext=unconfined_u:system_r:p...

On 8 May 2015 20:41, "Conley, Matthew M CTR GXM" < matthew.m.conley1.ctr at navy.mil> wrote: > > chmod 0700 .ssh > chmod 0600 .ssh/* > > Keys can fail if you don't have that setup correctly. > Also do: > grep sshd /var/log/audit/audit.log| audit2allow -m sshd > # Will let you see what modules it will create. > grep sshd /var/log/audit/audit.log| audit2allow -M sshd > # Creates the modules > > semodule -I sshd.pp > > grep ssh /var/log/audit/audit.log| audit2allow -m ssh > # Will let you see what modules it will create. &gt...

...s,. I have a centos 7 machine I'm using as a zabbix server. And I noticed that apache won't start, with this complaint in the error log: (13)Permission denied: AH00091: httpd: could not open error log file /var/log/zabbix_error_log. AH00015: Unable to open logs I tried having a look at audit2allow and this is the response I get back: [root at monitor2:/etc/httpd] #grep http /var/log/audit/audit.log | audit2allow #============= httpd_t ============== allow httpd_t zabbix_log_t:file open; How can I turn that bit of information into a rule that allows apache access to this zabbix log file?...

> > Try something like: > grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix > semodule -i zabbix.pp Thanks for your response! However this is what happens when I try to install the module: [root at monitor2:~] #semodule -i zabbix.pp libsepol.print_missing_requirements: zabbix's global requirements were not met: type/attribute zabbix_t (No such file or...

...thon2.7 should be allowed read access on the disable file by default. >> Then you should report this as a bug. >> You can generate a local policy module to allow this access. >> Do >> allow this access for now by executing: >> # ausearch -c 'f2b/server' --raw | audit2allow -M my-f2bserver >> # semodule -i my-f2bserver.pp >> Weirdly enough, when I follow this suggestion and then empty audit.log and restart my server, I still get the exact same error again. > > I reinstalled this server from scratch and took some notes. This time I was successful, th...

...provided below, how do I determine what is currently in > place and how do I add your stuff (changing postgresql with mysql, nat.) > > thanks Quick?n?(really) dirty SELinux howto: 1) Run the service. fails due to missing selinux policy. 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M myservice_policy 3) do what output says. (semodule -i myservice_policy.pp normally) 4) goto 1. That way, you?ll create and allow step by step necessary rights so your service ends up running normaly. The content I gave you is from mydovecot.te (human readable version of .pp created by audit2all...

...[root at monitor2:~] #find / -name "myzabbix.*" >> >> I also did search using 'yum provides' to find something similar. But >> wasn't' able to find anything. > What we're asking for is the contents of the .te file that is created > when you run audit2allow. > Go back to the original email and do what you were told # grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix # semodule -i myzabbix.pp You did audit2allow -M zabbix Which created zabbix.te and zabbix.pp, which is bad. It will attempt to replace the system module. If you use...

...ce) suggests ***** If you believe that python2.7 should be allowed read access on the disable file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'f2b/server' --raw | audit2allow -M my-f2bserver # semodule -i my-f2bserver.pp Weirdly enough, when I follow this suggestion and then empty audit.log and restart my server, I still get the exact same error again. Which makes Fail2ban unusable with SELinux in enforcing mode in the current state. Any suggestions ? Niki -- Mic...

CentOS release 5.4 (Final) I run pppd on this system, it accepts dial-in connections, logs people in over ssh/sftp. I had selinux disabled on this system originally, but I recently enabled it, and selinux is blocking this pppd service. "audit2allow -M" has generated the following policy based on AVC denial messages: module fixdialinserver 1.0; require { type pppd_t; type shadow_t; type chkpwd_exec_t; class file { read execute }; class netlink_audit_socket create; } #============= pppd_t =======...

HI I have something in /var/log/audit/audit.log like: avc: denied { write } for pid=23739 comm="httpd" name="renderd.sock" dev=dm-0 ino=1183752 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file use audit2allow it generates something like this: allow httpd_t var_run_t:sock_file write; Is the rule too liberal? that means httpd_t can write any var_run_t 's sock_file? Or I miss-understand something? Should it only allow httpd_t to write this specific render.sock file? If so, what's the right way...

On 5/8/2015 7:22 AM, Valeri Galtsev wrote: > On Fri, May 8, 2015 8:58 am, James B. Byrne wrote: >> While attempting to debug something else I ran across this: >> >> ssh -vvv somehost >> . . . >> debug1: Connection established. >> debug1: permanently_set_uid: 0/0 >> debug1: identity file /root/.ssh/identity type -1 >> debug1: identity file

...reading about SELinux on RedHat's web site I choose not to. Rather I discovered how to get immediate fixes to the SELinux permissions for specific programs applied to the host's local policy while seeking confirmation here and elsewhere as to whether the policy changes proposed by "audit2allow" made sense or should be adjusted. The process of reconfiguring the local policy for SELinux is in itself almost trivial, assuming that one has first installed the applicable selinux-policy-targeted-sources rpm package. One need only first establish that the problem is in fact caused by...

Hi Leon, I don't have access to a CentOS 6.10 system handy, but it looks like a policy issue. If I take you're ausearch output and pipe it to audit2allow on my CentOS 7.6 system, I get the following: #============= httpd_t ============== #!!!! This avc is allowed in the current policy allow httpd_t httpd_sys_script_t:process signull; Noting that on my 7.6 system with selinux enforcing with selinux policy packages at version 3.13.1-229, it notes t...

...1421683972.786:4372): avc: denied { create } for pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. SELinux is preventing /sbin/iptables-multi-1.4.7 from search access on the directory . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that iptables-multi-1.4.7 should be allowed search access on th...

...IM Milter: opendkim: /etc/opendkim.conf: refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied [FAILED] I check the permissions and ownership on the file and everything seems normal. I then checked audit2why and got this: audit2allow: error: no such option: -- [root at inet08 opendkim]# audit2why -l -a type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_read_search } for pid=15213 comm="opendkim" capability=2 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tcl...

I installed SeLinux in warn mode. HOw do i check to see what it is wanring about? This wil help me in make a decision to turn it to active mode..:) -- My "Foundation" verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their

Using audit2allow, I was able to create a policy module for selinux: audit2allow -i /var/log/audit/audit.log -M mysqld (creates mysqld.pp and mysqld.te) I want to distribute this to all my puppet clients. I can easily put this file in /etc/selinux/targeted/modules/active/modules But even after reboot, although...

> > That's because there's already a zabbix module loaded (the message isn't > very informative!). I forgot that the received wisdom is to insert "my" in > front of ones own modules i.e.: > grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix > semodule -i myzabbix.pp Hmm no luck there either: [root at monitor2:~] #semodule -i myzabbix.pp *semodule: Failed on myzabbix.pp!* I also tried: [root at monitor2:~] #semodule -i my_zabbix semodule: Failed on my_zabbix! And [root at monitor2:~] #semodule -i my-zabbix semo...

...************** If you believe that pickup should be allowed module_request access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pickup /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:postfix_pickup_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source pickup Source Path...

> > Sorry, I didn't put that very clearly. Could you show us the contents of > myzabbix.te. No prob! Thanks for all the help! But in searching my system I don't find anything of the sort. [root at monitor2:~] #updatedb [root at monitor2:~] #locate myzabbix.te [root at monitor2:~] #find / -name "myzabbix.*" I also did search using 'yum provides' to find