search for: dac_override

Displaying 13 results from an estimated 13 matches for "dac_override".

2017 Jan 29
2
tor and selinux
...SELinux kicked in and in the logs there's? [warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied The permissions are drwx------.??2 toranon toranon????4096 Jan 28 23:39 hidden_service And SELinux gives the following SELinux is preventing /usr/bin/tor from using the dac_override capability. *****??Plugin dac_override (91.4 confidence) suggests???********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate...
2014 May 12
1
OpenDKIM and SELinux
...confined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_override } for pid=15213 comm="opendkim" capability=1 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow th...
2020 Aug 28
2
EL8: SElinux / dac_override / tmpwatch
Hi, I'm moving some old stuff from EL6 to EL8 and one setup has a cron job which uses "tmpwatch -umc $dir" to clean some directories (/etc/cron.daily/tmpwatch). It seems that this triggers this AVC (SElinux mode is enforcing): type=AVC msg=audit(1598576896.772:4267): avc: denied { dac_override } for pid=11013 comm="tmpwatch" capability=1 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tclass=capability permissive=0 The tmpwatch exec line had "--force" before and I was hopping that this "capability&...
2020 Aug 28
0
EL8: SElinux / dac_override / tmpwatch
On Aug 28, 2020, at 17:53, Leon Fauster via CentOS <centos at centos.org> wrote: > > Is cron running in EL8 with stripped CAPs of? Does some one have an > idea to address this? In general, we no longer use tmpwatch at all. In CentOS 7 and 8, use systemd-tmpfiles. Here is a blog post that describes it pretty well:
2013 Apr 08
1
libvirt, selinux, moving images to ~/images does not work
...ome/aik/virtimg: -rwxrwxrwx. root root system_u:object_r:virt_content_t:s0 Fedora-18-ppc64-DVD.iso /var/lib/libvirt/images: -rwxrwxrwx. root root system_u:object_r:virt_image_t:s0 fc18guest However "virsh -c qemu:///system create libvirtguest-aik.xml" failes with "avc: denied { dac_override }" and "avc: denied { dac_read_search }". Also, there is "user system_u is not defined" in /var/log/messages what is confusing as "semanage user -l" says it is there. If I simply move Fedora-18-ppc64-DVD.iso to /var/lib/libvirt/images, the problem goes away...
2017 Jan 29
0
tor and selinux
On 01/29/2017 11:59 AM, Mark wrote: > As I don't know what dac_override is I don't know if it's a good idea > to give it to tor and the confidence seems quite low. dac_override indicates that you're running your process as root, and it's trying to do something on the filesystem which is not explicitly allowed by permissions. DAC is the standard...
2014 May 05
2
Opendkim and SELinux
...4 20:50:02 inet08 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from using the signull access on a process. For complete SELinux messages. run sealert -l 442cb257-3db2-488c-a92e-bfc936e16a0c May 4 20:55:25 inet08 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from using the dac_override capability. For complete SELinux messages. run sealert -l c7c1199d-008d-4ae5-b61f-71a11edb0aa3 May 5 04:03:57 inet08 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from search access on the directory /sys. For complete SELinux messages. run sealert -l 800523d5-0420-4038-9c7d-c2ec47c3bb6...
2018 Oct 14
3
Centos7 & Selinux & Tor
...m_r:tor_t:s0 key=(null) type=AVC msg=audit(1539540150.692:60570): avc: denied { dac_read_search } for pid=18283 comm="tor" capability=2 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability type=AVC msg=audit(1539540150.692:60570): avc: denied { dac_override } for pid=18283 comm="tor" capability=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:system_r:tor_t:s0 tclass=capability So I had a look at the permissions for /var/lib/tor/hidden_service/ and they were drwx------. toranon toranon system_u:object_r:tor_var_lib_t:s0 hidden_se...
2017 Jan 30
1
tor and selinux
On Sun, 2017-01-29 at 15:53 -0800, Gordon Messmer wrote: > On 01/29/2017 11:59 AM, Mark wrote: > > As I don't know what dac_override is I don't know if it's a good > > idea > > to give it to tor and the confidence seems quite low. > > > dac_override indicates that you're running your process as root, and? > it's trying to do something on the filesystem which is not > explicitly? >...
2011 Mar 14
0
[Bug 665] Can't start error opening /var/log/ ...
...first if apparmor is running you get the error access denied for /var/log/ulogd/ulogd.log type=AVC msg=audit(1300044955.917:57): apparmor="DENIED" operation="capable" parent=23608 profile="/usr/sbin/ulogd" pid=23609 comm="ulogd" capability=1 capname="dac_override" type=AVC msg=audit(1300045005.380:58): apparmor="DENIED" operation="capable" parent=23664 profile="/usr/sbin/ulogd" pid=23665 comm="ulogd" capability=1 capname="dac_override" once apparmor is stopped ulogd -c /etc/ulogd.conf --uid ulogd Fa...
2006 Jun 07
1
Apache php and exim
...tclass=capability When i turn to permisive mode: audit(1149668677.105:12): avc: denied { setuid } for pid=29159 comm="sendmail" capability=7 scontext=root:system_r:ht tpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability audit(1149668677.157:13): avc: denied { dac_override } for pid=29159 comm="sendmail" capability=1 scontext=root:syste m_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability audit(1149668677.209:14): avc: denied { write } for pid=29159 comm="sendmail" name="input" dev=dm-3 ino=1335707 scont...
2018 Oct 23
0
Centos7 & Selinux & Tor
...AVC msg=audit(1539540150.692:60570): avc: denied { > dac_read_search } for pid=18283 comm="tor" > capability=2 scontext=system_u:system_r:tor_t:s0 > tcontext=system_u:system_r:tor_t:s0 tclass=capability > > type=AVC msg=audit(1539540150.692:60570): avc: denied { > dac_override > } for pid=18283 comm="tor" > capability=1 scontext=system_u:system_r:tor_t:s0 > tcontext=system_u:system_r:tor_t:s0 tclass=capability > > So I had a look at the permissions for /var/lib/tor/hidden_service/ > and > they were > > drwx------. toranon toranon...
2018 Oct 23
1
Centos7 & Selinux & Tor
...0.692:60570): avc: denied { >> dac_read_search } for pid=18283 comm="tor" >> capability=2 scontext=system_u:system_r:tor_t:s0 >> tcontext=system_u:system_r:tor_t:s0 tclass=capability >> >> type=AVC msg=audit(1539540150.692:60570): avc: denied { >> dac_override >> } for pid=18283 comm="tor" >> capability=1 scontext=system_u:system_r:tor_t:s0 >> tcontext=system_u:system_r:tor_t:s0 tclass=capability >> >> So I had a look at the permissions for /var/lib/tor/hidden_service/ >> and >> they were >> &g...