search for: chr_file

...;, restarting the PCP service, getting new SELinux errors, going back to step 1, I ended up with this content in the .te file: """ module doshea-selinux-pcp-pmda-nvidia-gpu 1.0; require { type xserver_misc_device_t; type pcp_pmcd_t; class capability sys_admin; class chr_file { read write ioctl open }; } #============= pcp_pmcd_t ============== allow pcp_pmcd_t self:capability sys_admin; #!!!! This avc is allowed in the current policy allow pcp_pmcd_t xserver_misc_device_t:chr_file { read write ioctl open }; """ I don't get why this worked 3 days a...

...nodes( rawsox_t ); require { type lib_t; type ld_so_t; type ld_so_cache_t; type usr_t; type devpts_t; type rawsox_t; type etc_t; class lnk_file read; class dir search; class file { read getattr execute }; class chr_file { read write getattr }; class rawip_socket create; class capability net_raw; } #============= rawsox_t ============== allow rawsox_t devpts_t:chr_file { read write getattr }; allow rawsox_t etc_t:dir search; allow rawsox_t ld_so_cache_t:file { read getattr }; allow rawsox_t ld_so_t:file r...

...ool -P named_disable_trans=1." The following command will allow this access: setsebool -P named_disable_trans=1 Additional Information Source Context user_u:system_r:named_t Target Context system_u:object_r:tmpfs_t Target Objects random [ chr_file ] Affected RPM Packages bind-9.3.3-7.el5 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name...

Daniel P. Berrangé <berrange@redhat.com> writes: > On Thu, Jul 02, 2020 at 01:21:15PM +0200, Milan Zamazal wrote: >> Hi, >> > >> I've met two situations with NVDIMM support in libvirt where I'm not >> sure all the parties (libvirt & I) do the things correctly. >> >> The first problem is with memory alignment and size changes. In

...Jul 9 09:22:43 inet02 setroubleshoot: SELinux is preventing /usr/sbin/sshd from create access on the tcp_socket . For complete SELinux messages. run sealert -l c5d4049e-cffb-4cfb-a243-135c7b297e8b Jul 9 09:22:44 inet02 setroubleshoot: SELinux is preventing /usr/sbin/sshd from open access on the chr_file 5. For complete SELinux messages. run sealert -l d77a3254-8aba-4a13-bd78-0bcf14e67035 /var/log/secure Jul 9 09:22:34 inet02 sshd[17681]: error: socket: Permission denied Jul 9 09:22:34 inet02 sshd[17684]: error: /dev/pts/5: Permission denied # grep sshd /var/log/audit/audit.log | audit2all...

...evice in devdax mode: type=AVC msg=audit(1594144691.758:913): avc: denied { map } for pid=21659 comm="qemu-kvm" path="/dev/dax0.0" dev="tmpfs" ino=1521557 scontext=system_u:system_r:svirt_t:s0:c216,c981 tcontext=system_u:object_r:svirt_image_t:s0:c216,c981 tclass=chr_file permissive=0 type=AVC msg=audit(1594144691.758:914): avc: denied { map } for pid=21659 comm="qemu-kvm" path="/dev/dax0.0" dev="tmpfs" ino=1521557 scontext=system_u:system_r:svirt_t:s0:c216,c981 tcontext=system_u:object_r:svirt_image_t:s0:c216,c981 tclass=chr_file...

...s) as system_u:object_r:removable_device_t:s0. This cause smartmontools to fail : avc: denied { read write } for pid=2847 comm="smartd" name="megadev0" dev=tmpfs ino=8284 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=chr_file Changing the context (of megadev0) to fixed_disk_device_t solves the problem, but is this the best solution ? Thanks, -- Philippe Naudin UMR MISTEA : Math?matiques, Informatique et STatistique pour l'Environnement et l'Agronomie INRA, b?timent 29 - 2 place Viala - 34060 Montpe...

...agpgart: Putting AGP V2 device at 0000:01:00.0 into 1x mode audit(1172747921.184:6): avc: denied { getattr } for pid=2323 comm="pam_console_app" name="card0" dev=tmpfs ino=7969 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255tcontext=system_u:object_r:device_t:s0 tclass=chr_file Zapata Telephony Interface Registered on major 196 Zaptel Version: 1.2.14 Zaptel Echo Canceller: KB1 and finally this is my configuration fxsks=1-4 loadzone=us defaultzone=us -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-...

...e file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:qemu_t:SystemLow-SystemHigh Target Context system_u:object_r:zero_device_t Target Objects /dev/zero [ chr_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port <Unknown> Host alma Source RPM Packages kvm-83-105.el5_4.13 Target RPM Packages Policy RPM selinux-policy-2.4.6-255....

...(or turned off altogether). This problem does not evidence itself unless the account is chrooted. The output from audit2allow is this: sudo audit2allow -l -a #============= chroot_user_t ============== allow chroot_user_t cyphesis_port_t:tcp_socket name_connect; allow chroot_user_t user_home_t:chr_file open; #============= syslogd_t ============== #!!!! The source type 'syslogd_t' can write to a 'dir' of the following types: # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile, cluster_var_lib_t, cluster_var_run_t, root...

...ld_so_t; >> type ld_so_cache_t; >> type usr_t; >> type devpts_t; >> type rawsox_t; >> type etc_t; >> class lnk_file read; >> class dir search; >> class file { read getattr execute }; >> class chr_file { read write getattr }; >> class rawip_socket create; >> class capability net_raw; >> } >> >> #============= rawsox_t ============== >> allow rawsox_t devpts_t:chr_file { read write getattr }; >> allow rawsox_t etc_t:dir search; >> allow raw...

...Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:qemu_t:SystemLow-SystemHigh Target Context system_u:object_r:clock_device_t Target Objects rtc [ chr_file ] Source qemu-system-x86 Source Path /usr/bin/qemu-system-x86_64 Port <Unknown> Host inet02.hamilton.harte-lyne.ca Source RPM Packages qemu-0.9.0-4 Target RPM Packages Policy RPM...

...ype named_t; type named_var_run_t; type ntpd_t; type ntpd_var_run_t; type smbd_t; type samba_unconfined_script_exec_t; type urandom_device_t; type var_lock_t; class unix_stream_socket connectto; class unix_dgram_socket sendto; class sock_file write; class chr_file write; class file { read write getattr open lock }; class dir { read search }; } #============= named_t ============== allow named_t urandom_device_t:chr_file write; #============= ntpd_t ============== allow ntpd_t initrc_t:unix_stream_socket connectto; allow ntpd_t ntpd_var_run_t:sock_f...

Not sure who's package let an error slip in, but I don't believe I've had this issue before: SELinux is preventing /usr/bin/motion from map access on the chr_file /dev/video1 Yes, that should be allowed by default. mark

...nux: class peer not defined in policy SELinux: class capability2 not defined in policy SELinux: class kernel_service not defined in policy SELinux: permission open in class dir not defined in policy SELinux: permission open in class file not defined in policy SELinux: permission open in class chr_file not defined in policy SELinux: permission open in class blk_file not defined in policy SELinux: permission open in class sock_file not defined in policy SELinux: permission open in class fifo_file not defined in policy SELinux: permission recvfrom in class node not defined in policy SELinux: p...

Hi, Some time ago I wrote an introductory article about SELinux on my blog. I'm currently updating it for my new blog, and I found a curious change in SELinux policy. Here goes. For demonstration purposes, I'm using some static webpages, more exactly the default pages found in /usr/share/httpd/noindex, which I simply copied over to /var/www/html. As a first practical example, I'm

...nux: Permission watch_sb in class lnk_file not defined in policy. [ 9.689924] SELinux: Permission watch_with_perm in class lnk_file not defined in policy. [ 9.689925] SELinux: Permission watch_reads in class lnk_file not defined in policy. [ 9.689927] SELinux: Permission watch in class chr_file not defined in policy. [ 9.689941] SELinux: Permission watch_mount in class chr_file not defined in policy. [ 9.689942] SELinux: Permission watch_sb in class chr_file not defined in policy. [ 9.689943] SELinux: Permission watch_with_perm in class chr_file not defined in policy. [ 9.6...

On Fri, Feb 07, 2020 at 08:47:14AM +0100, Christian Borntraeger wrote: > Also adding Cornelia. > > > On 06.02.20 23:17, Michael S. Tsirkin wrote: > > On Thu, Feb 06, 2020 at 04:12:21PM +0100, Christian Borntraeger wrote: > >> > >> > >> On 06.02.20 15:22, eperezma at redhat.com wrote: > >>> Hi Christian. > >>> > >>>

On Fri, Feb 07, 2020 at 08:47:14AM +0100, Christian Borntraeger wrote: > Also adding Cornelia. > > > On 06.02.20 23:17, Michael S. Tsirkin wrote: > > On Thu, Feb 06, 2020 at 04:12:21PM +0100, Christian Borntraeger wrote: > >> > >> > >> On 06.02.20 15:22, eperezma at redhat.com wrote: > >>> Hi Christian. > >>> > >>>