search for: dontaudit

...selinux to usw with ntpd but when i run (as described in wiki) semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd" i have that error " usage: semanage [-h] {import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit} ... semanage: error: argument subcommand: invalid choice: 'ntpd_t' (choose from 'import', 'export', 'login', 'user', 'port', 'ibpkey', 'ibendport', 'interface', 'module', 'node', 'fcontext&...

Hi All, I'm running CentOS 5.2 with SELinux in enforcing mode (default targeted policy). The server hosts a PHP web app that sends mail. I'm getting the following errors (see end of message) in my selinux audit.log file every time the app sends an email. The email always seems to get sent successfully, despite the log messages. However, they do concern me and I would like to understand

I need to run a "copy table to '/home/user/dir/copy.txt';" but I get permission denied. Filesystem dir modes are ok and I get no event logged in audit.log, but if I setenforce 0, I can do the copy. This explains auditd silence: # sesearch --audit |egrep postgres.*home dontaudit postgresql_t user_home_dir_t : dir { getattr search }; dontaudit postgresql_t home_root_t : dir { getattr search }; I changed the "dir" type to tmpfs_t and I could write with "\copy" but not with "copy". Anyway, what are the best practices to allow postgresql &quo...

...error: unrecognized arguments: samba_share_t /path/to/share > > What is "noise" exactly? I don't get errors from that command: The full message is: usage: semanage [-h] {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit} ... semanage: error: unrecognized arguments: samba_share_t '/path/to/share(/.*)?'

...ribed in wiki) > > semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd" > > > i have that error > " > usage: semanage [-h] > > > {import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit} > >                 ... > semanage: error: argument subcommand: invalid choice: 'ntpd_t' (choose > from 'import', 'export', 'login', 'user', 'port', 'ibpkey', 'ibendport', > 'interface', 'module', &...

Just prior to the time change, I made sure that ntpd and my timezone files were properly setup. Since this time, I've noticed the following errors: audit(1173310084.404:5): avc: denied { read } for pid=8634 comm="ntpd" name="unexpected.tdb" dev=md1 ino=147662 scontext=root:system_r:ntpd_t tcontext=root:object_r:samba_var_t tclass=file I've not successfully (so

Is this really supposed to get easier over time? :) Now my audit.log file shows that SELinux is blocking my cgi script, index.cgi (which is what's actually served when the user visits the front page of one of our proxy sites like sugarsurfer.com) from having '"read write" to socket (httpd_t)'. I have no idea what that means, except that I thought that cgi scripts were

Hi list, I've knocked up a contribution on SELinux here: http://wiki.centos.org/HowTos/SELinux I've tried to pitch it as an introduction for those not already familiar with SELinux but also hopefully a useful reference. I'm relatively new to SELinux and have covered pretty much everything I know to the limits of my limited knowledge. If folks think other material needs to be

These patches update the example FLASK policy shipped with Xen and enable its build if the required tools are present. The third patch requires rerunning autoconf to update tools/configure. [PATCH 1/3] flask/policy: sort dom0 accesses [PATCH 2/3] flask/policy: rework policy build system [PATCH 3/3] tools/flask: add FLASK policy to build

On 02/12/2017 10:40 AM, Gordon Messmer wrote: > I'm not seeing those errors logged, either, so maybe your system > differs from mine. If I'm misreading, hopefully someone will chime in > to clarify. ... Also, it might be useful to get the AVCs on your system. The bug entry indicated that you'd need to enable debugging (semodule -DB, and later use semodule -B to

...gt; /path/to/share > > > > What is "noise" exactly? I don't get errors from that command: > > The full message is: > > usage: semanage [-h] > > {import,export,login,user,port,interface,module,node, > fcontext,boolean,permissive,dontaudit} > ... > semanage: error: unrecognized arguments: samba_share_t > '/path/to/share(/.*)?' You can check the labels using seinfo -t, below is what I had for samba samba_etc_t samba_initrc_exec_t samba_log_t samba_net_exec_t samba_net_t sam...

...bcommand: invalid choice: 'lib_t' (choose from 'import', 'export', 'login', 'user', 'port', 'ibpkey', 'ibendport', 'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 'dontaudit') What am I doing wrong? mark

In this wiki article: https://wiki.centos.org/HowTos/SetUpSamba ?there is a command down in section 2 that gives an error here on CentOS 7: $ sudo semanage fcontext ?at samba_share_t /path/to/share ?noise noise noise? semanage: error: unrecognized arguments: samba_share_t /path/to/share That and the following restorecon command can be replaced by a single shorter command, which

I've built a new mail system with Centos 6.5, and I'm running fetchmail - sendmail - procmail to maildir. I have all of this working at the moment.(I know, postfix was the default, but for lots of other reasons, I switched, and that isn't an issue, I don't think). I am using dovecot as an imap server. Procmail won't update indexes during email delivery, so I'm having some

Hi. CentOS 5.4 64-bit with SELinux, happily running for over a year, suddenly httpd fails to start up, getting an error message like: Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf: Cannot load /etc/httpd/modules/libphp5.so into server: libxml2.so.2: failed to map segment from shared object: Permission denied I turned off SELinux and was able to start httpd. But what went

...***** Plugin leaks (6.10 confidence) suggests ***************************** If you want to ignore mdadm trying to write access the rear-fcshome.log.lockless file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # ausearch -x /usr/sbin/mdadm --raw | audit2allow -D -M my-mdadm # semodule -i my-mdadm.pp ***** Plugin catchall (1.43 confidence) suggests ************************** If you believe that mdadm should be allowed write access on the rear-fcshome.log.lockless file by default. Then...

...y. ***** Plugin leaks (86.2 confidence) suggests ****************************** If you want to ignore sendmail.postfix trying to read access the inotify directory, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/sbin/sendmail.postfix /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (14.7 confidence) suggests *************************** If you believe that sendmail.postfix should be allowed read access on the inotify directory by...

Hi, I'm running Centos 5 32bit and installed openvpn-2.0.9-1.el5.rf from Dag Wieers Repo. When OpenVPN is started during boot-up it just shows an SElinux related error message. When I start OpenVPN manually after the system has come up completely it works fine. Here are all the messages from /var/log/messages that are SElinux related: May 28 21:39:15 srsblnfw01 kernel:

I have a web application which uses sudo to invoke python scripts as the user under which the application runs (NO root access).? Is there any reason why sudo would would require sys_ptrace access for this?? I only get this violation intermittenly, and not with every call to sudo.? Here's the violation: Summary: SELinux is preventing sudo (httpd_t) "sys_ptrace" to <Unknown>

I am having a very strange issue with Dovecot + Sqlite + SELinux in enforcing. I am able to log in via IMAPS if SELinux is in permissive, but not able to do so when in enforcing. I do not see any SELinux denials even with dontaudit's enabled. I am running Centos 5 on x86_64 with a customized kernel build and SElinux Strict policy. The log dumps below are in the following order:? 1. My syslog output when SElinux is enforcing 2. My mail client's protocol log (using Sylpheed) 3. My syslog output when SElinux is permissiv...