Displaying 20 results from an estimated 42 matches for "etc_t".
2015 Feb 09
2
SELinux context for ssh host keys?
...while the new had unconfined_u. So, I decided to run restorecon -v to
presumably set the SELinux user correctly for the new keys: But that
is not what happened:
restorecon -v *
restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context
unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0
restorecon reset /etc/ssh/ssh_host_rsa_key_4096.pub context
unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0
As you can see, not only did the user not get set to system_u but the
type was changed to etc_t.
Why were the new key files changed from sshd_key_t types to the
g...
2015 Feb 09
0
SELinux context for ssh host keys?
...So, I decided to run restorecon -v to
> presumably set the SELinux user correctly for the new keys: But that
> is not what happened:
>
> restorecon -v *
>
> restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context
> unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0
>
> restorecon reset /etc/ssh/ssh_host_rsa_key_4096.pub context
> unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0
>
> As you can see, not only did the user not get set to system_u but the
> type was changed to etc_t.
>
> Why were the new key files c...
2010 Apr 06
1
SELinux restorecon does not work
...changed. Do I need to create local SELinux
module? I hope anyone could help me out of this. Thank you.
-------------------------------------------------------
# sealert -b
........................................
Summary:
SELinux is preventing postmaster (postgresql_t) "setattr" to ./db (etc_t).
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for ./db,
restorecon -v './db'
If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy modu...
2007 Dec 17
2
Digest Subcriber needs help with SELinux file context setting
...service httpd start
Starting httpd: [FAILED]
Checking /var/log/messages I see this:
# tail /var/log/messages
Dec 17 16:08:01 inet01 setroubleshoot:
SELinux is preventing the /usr/sbin/httpd from using potentially
mislabeled files trac-rewrite.log (etc_t).
For complete SELinux messages. run sealert -l
cfc477ae-0443-44f7-9bd3-4ede69b03a57
Following the suggested remedy I do this:
# sealert -l cfc477ae-0443-44f7-9bd3-4ede69b03a57
Summary
SELinux is preventing the /usr/sbin/httpd from using potentially
mislabeled
files trac-rewrite.log...
2007 Nov 13
1
Can't get samba to start.
...arts fine, but smbd never starts, and in the kernel log, I get
the following message....
"<5>audit(1194957676.859:270): avc: denied { write } for pid=14000
comm="smbd"
name="secrets.tdb" dev=hda2 ino=2490462 scontext=root:system_r:smbd_t:s0
tconte
xt=root:object_r:etc_t:s0 tclass=file
<5>audit(1194957768.575:272): avc: denied { write } for pid=14025
comm="smbd"
name="secrets.tdb" dev=hda2 ino=2490462 scontext=root:system_r:smbd_t:s0
tconte
xt=root:object_r:etc_t:s0 tclass=file
<5>audit(1194957793.491:274): avc: denied { write...
2008 Mar 03
1
Unable open raw socket in CentOS 5 - SE Linux and kernel capability interaction?
...#
# Rawsox local policy
# these two didn't help
#corenet_raw_sendrecv_all_if( rawsox_t );
#corenet_raw_sendrecv_all_nodes( rawsox_t );
require {
type lib_t;
type ld_so_t;
type ld_so_cache_t;
type usr_t;
type devpts_t;
type rawsox_t;
type etc_t;
class lnk_file read;
class dir search;
class file { read getattr execute };
class chr_file { read write getattr };
class rawip_socket create;
class capability net_raw;
}
#============= rawsox_t ==============
allow rawsox_t devpts_t:chr_file { read write g...
2015 Feb 10
1
SELinux context for ssh host keys?
...<rnicholsNOSPAM at comcast.net> wrote:
>
> On 02/09/2015 11:14 AM, James B. Byrne wrote:
>> So, I decided to run restorecon -v to
>>
...
>> restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context
>> unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0
>>
...
>> There is no REQUIREMENT that a host key have a particular file name is
>> there? The sshd_config provides for setting one explicitly and doing
>> so seems to cause no problems with ssh connections that I have yet
>> encountered.
>
> The "syst...
2017 Nov 10
2
Sieve global path?
...> ? sieve_after?????????? = /etc/dovecot/sieve/after.d/
> #? sieve_after2???????? =
> #? sieve_after3???????? =
>
> ? fts?????????????????? = lucene
> ? fts_lucene??????????? = whitespace_chars=@.
> }
>
> Permissions:
> drwxr-xr-x. 174 root root system_u:object_r:etc_t:s0???????? 12288 Nov? 9
> 11:43 /etc drwxr-xr-x.?? 4 root root system_u:object_r:dovecot_etc_t:s0
> 95 Apr 28? 2016 /etc/dovecot drwxr-xr-x.?? 5 root root
> system_u:object_r:dovecot_etc_t:s0??? 64 Jul 13? 2015 /etc/dovecot/sieve
> drwxr-xr-x.?? 2 root root system_u:object_r:dovecot_etc...
2017 Nov 10
2
Sieve global path?
...ve_after2???????? =
> >> #? sieve_after3???????? =
> >>
> >> ? fts?????????????????? = lucene
> >> ? fts_lucene??????????? = whitespace_chars=@.
> >> }
> >>
> >> Permissions:
> >> drwxr-xr-x. 174 root root system_u:object_r:etc_t:s0???????? 12288 Nov? 9
> >> 11:43 /etc drwxr-xr-x.?? 4 root root system_u:object_r:dovecot_etc_t:s0
> >> 95 Apr 28? 2016 /etc/dovecot drwxr-xr-x.?? 5 root root
> >> system_u:object_r:dovecot_etc_t:s0??? 64 Jul 13? 2015 /etc/dovecot/sieve
> >> drwxr-xr-x.?? 2 roo...
2015 Dec 24
2
systemd-sysctl not running on boot
On 12/23/2015 11:12 PM, Ofer Hasson wrote:
> [root at web-devel-local-1 ~]# /usr/lib/systemd/systemd-sysctl
> [root at web-devel-local-1 ~]# cat /proc/sys/vm/swappiness
> 10
So... you know that it works when you run it from a root shell, but not
during boot. Is the file labeled properly? Anything in audit.log?
2018 Mar 07
0
An selinux issue
CentUS 7.4
>From sealert:
SELinux is preventing /usr/sbin/sshd from read access on the file
/etc/ssh/moduli.
***** Plugin restorecon (94.8 confidence) suggests
************************
If you want to fix the label.
/etc/ssh/moduli default label should be etc_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/ssh/moduli
<...>
Additional Information:
Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:object_r:unlabeled_t:s0
Target Objects /etc/ssh/moduli [ file ]
Sour...
2009 Feb 06
1
...n''t apply partial
context to unlabeled file /etc/puppet
; change from absent to object_r failed: Execution of ''/usr/bin/chcon -h
-r object_r /etc/puppet'' returned 1: /usr/bin/chcon: can''t apply partial
context to unlabeled file /etc/puppet
; change from absent to etc_t failed: Execution of ''/usr/bin/chcon -h -t
etc_t /etc/puppet'' returned 1: /usr/bin/chcon: can''t apply partial context
to unlabeled file /etc/puppet
; change from absent to s0 failed: Execution of ''/usr/bin/chcon -h -l s0
/etc/puppet'' returned 1: /usr/bin...
2008 May 22
1
Re: Need help with rsync. [solved]
...roblem is announced at the desktop
then you may also find it useful to check for this:
# grep setroubleshoot /var/log/messages
In which case you may see something like this:
Dec 17 14:13:24 inet01 setroubleshoot:
SELinux is preventing /usr/sbin/httpd (httpd_t) "write" to virtual.d (etc_t).
For complete SELinux messages. run sealert -l
15618e2e-044c-4c4c-b3fc-ec1eba554d02
In this case you can follow the suggestion given in the log message and run
sealert:
# sealert -l 15618e2e-044c-4c4c-b3fc-ec1eba554d02
Summary
SELinux is preventing /usr/sbin/httpd (httpd_t) "write&q...
2015 Dec 28
2
systemd-sysctl not running on boot
...assonofer at gmail.com>
> ?: "centos" <centos at centos.org>
> Envoy?: Jeudi 24 D?cembre 2015 11:36:00
> Objet: Re: [CentOS] systemd-sysctl not running on boot
> [root at web-devel-local-1 ~]# ll -Z /etc/ | grep sysctl
> drwxr-xr-x. root root system_u:object_r:etc_t:s0 sysctl.d
>
> [root at web-devel-local-1 ~]# ll -Z /etc/sysctl.d/
> -rw-r--r--. root root unconfined_u:object_r:system_conf_t:s0 sysctl.conf
>
Is there a relationship with the new symlink created by the upgrade in my servers ?
# ls -l /etc/sysctl.d/
total 0
lrwxrwxrwx. 1 roo...
2018 Sep 09
3
Type enforcement / mechanism not clear
...read these config files?
Normally, sure - but a malicious developer (or attacker) will do. So, I'm evaluating different
approaches to secure our platform. Its possible to limit fs access in PHP but this comes with
a massive performance penalty.
Well, I do not want to discuss that all "etc_t" files can be read but why
sysctl.conf with "system_conf_t" type can be read where it shouldn't??
Any pointer would be greatly appreciated.
--
LF
2008 Mar 07
1
Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?
...all_if( rawsox_t );
>> #corenet_raw_sendrecv_all_nodes( rawsox_t );
>>
>> require {
>> type lib_t;
>> type ld_so_t;
>> type ld_so_cache_t;
>> type usr_t;
>> type devpts_t;
>> type rawsox_t;
>> type etc_t;
>> class lnk_file read;
>> class dir search;
>> class file { read getattr execute };
>> class chr_file { read write getattr };
>> class rawip_socket create;
>> class capability net_raw;
>> }
>>
>> #============...
2016 Feb 17
2
New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547
...ill.
Your best bet on CentOS-7 is to create a new file in /etc/sysctl.d/
called something like 99-postgres.conf and put youjr mods in there.
That way it will never change.
Also .. verify all the files in /etc/sysctl.d/ and /etc/sysctl.conf are
set to this label for selinux:
unconfined_u:object_r:etc_t:s0
See this for labeling:
red.ht/1ooTpiI
But, /etc/sysctl.conf should still work in centos-7.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ce...
2016 Feb 17
1
New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547
> The easy answer is yes .. glibc requires so many things to be restarted,
> that is the best bet. Or certainly the easiest.
>
> Note: in CentOS 7, there is also a kernel update which is rated as
> Important .. so you should boot to that anyway:
> https://lists.centos.org/pipermail/centos-announce/2016-February/021705.html
>
> Here is a good link to figure out what to
2018 Sep 10
1
Type enforcement / mechanism not clear
...y, sure - but a malicious developer (or attacker) will do. So, I'm evaluating different
>> approaches to secure our platform. Its possible to limit fs access in PHP but this comes with
>> a massive performance penalty.
>>
>> Well, I do not want to discuss that all "etc_t" files can be read but why
>> sysctl.conf with "system_conf_t" type can be read where it shouldn't??
>>
>> Any pointer would be greatly appreciated.
>>
>
> We allow apache and all domains to read all of what we define as base_ro_file_type types.
&...
2017 Nov 09
2
Sieve global path?
Hello,
I am building a new server on CentOS 7 and the global sieve filter can
not be loaded. The debug shows:
Nov? 9 15:23:09 mail dovecot: lmtp(11182, gao at mydomain.com): Debug:
sieve: Pigeonhole version 0.4.2 initializing
Nov? 9 15:23:09 mail dovecot: lmtp(11182, gao at mydomain.com): Debug:
sieve: include: sieve_global_dir is not set; it is currently not
possible to include `:global'