search for: etc_t

...while the new had unconfined_u. So, I decided to run restorecon -v to presumably set the SELinux user correctly for the new keys: But that is not what happened: restorecon -v * restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0 restorecon reset /etc/ssh/ssh_host_rsa_key_4096.pub context unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0 As you can see, not only did the user not get set to system_u but the type was changed to etc_t. Why were the new key files changed from sshd_key_t types to the g...

...So, I decided to run restorecon -v to > presumably set the SELinux user correctly for the new keys: But that > is not what happened: > > restorecon -v * > > restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context > unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0 > > restorecon reset /etc/ssh/ssh_host_rsa_key_4096.pub context > unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0 > > As you can see, not only did the user not get set to system_u but the > type was changed to etc_t. > > Why were the new key files c...

...changed. Do I need to create local SELinux module? I hope anyone could help me out of this. Thank you. ------------------------------------------------------- # sealert -b ........................................ Summary: SELinux is preventing postmaster (postgresql_t) "setattr" to ./db (etc_t). Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./db, restorecon -v './db' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy modu...

...service httpd start Starting httpd: [FAILED] Checking /var/log/messages I see this: # tail /var/log/messages Dec 17 16:08:01 inet01 setroubleshoot: SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled files trac-rewrite.log (etc_t). For complete SELinux messages. run sealert -l cfc477ae-0443-44f7-9bd3-4ede69b03a57 Following the suggested remedy I do this: # sealert -l cfc477ae-0443-44f7-9bd3-4ede69b03a57 Summary SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled files trac-rewrite.log...

...arts fine, but smbd never starts, and in the kernel log, I get the following message.... "<5>audit(1194957676.859:270): avc: denied { write } for pid=14000 comm="smbd" name="secrets.tdb" dev=hda2 ino=2490462 scontext=root:system_r:smbd_t:s0 tconte xt=root:object_r:etc_t:s0 tclass=file <5>audit(1194957768.575:272): avc: denied { write } for pid=14025 comm="smbd" name="secrets.tdb" dev=hda2 ino=2490462 scontext=root:system_r:smbd_t:s0 tconte xt=root:object_r:etc_t:s0 tclass=file <5>audit(1194957793.491:274): avc: denied { write...

...# # Rawsox local policy # these two didn't help #corenet_raw_sendrecv_all_if( rawsox_t ); #corenet_raw_sendrecv_all_nodes( rawsox_t ); require { type lib_t; type ld_so_t; type ld_so_cache_t; type usr_t; type devpts_t; type rawsox_t; type etc_t; class lnk_file read; class dir search; class file { read getattr execute }; class chr_file { read write getattr }; class rawip_socket create; class capability net_raw; } #============= rawsox_t ============== allow rawsox_t devpts_t:chr_file { read write g...

...<rnicholsNOSPAM at comcast.net> wrote: > > On 02/09/2015 11:14 AM, James B. Byrne wrote: >> So, I decided to run restorecon -v to >> ... >> restorecon reset /etc/ssh/ssh_host_rsa_key_4096 context >> unconfined_u:object_r:sshd_key_t:s0->unconfined_u:object_r:etc_t:s0 >> ... >> There is no REQUIREMENT that a host key have a particular file name is >> there? The sshd_config provides for setting one explicitly and doing >> so seems to cause no problems with ssh connections that I have yet >> encountered. > > The "syst...

...> ? sieve_after?????????? = /etc/dovecot/sieve/after.d/ > #? sieve_after2???????? = > #? sieve_after3???????? = > > ? fts?????????????????? = lucene > ? fts_lucene??????????? = whitespace_chars=@. > } > > Permissions: > drwxr-xr-x. 174 root root system_u:object_r:etc_t:s0???????? 12288 Nov? 9 > 11:43 /etc drwxr-xr-x.?? 4 root root system_u:object_r:dovecot_etc_t:s0 > 95 Apr 28? 2016 /etc/dovecot drwxr-xr-x.?? 5 root root > system_u:object_r:dovecot_etc_t:s0??? 64 Jul 13? 2015 /etc/dovecot/sieve > drwxr-xr-x.?? 2 root root system_u:object_r:dovecot_etc...

...ve_after2???????? = > >> #? sieve_after3???????? = > >> > >> ? fts?????????????????? = lucene > >> ? fts_lucene??????????? = whitespace_chars=@. > >> } > >> > >> Permissions: > >> drwxr-xr-x. 174 root root system_u:object_r:etc_t:s0???????? 12288 Nov? 9 > >> 11:43 /etc drwxr-xr-x.?? 4 root root system_u:object_r:dovecot_etc_t:s0 > >> 95 Apr 28? 2016 /etc/dovecot drwxr-xr-x.?? 5 root root > >> system_u:object_r:dovecot_etc_t:s0??? 64 Jul 13? 2015 /etc/dovecot/sieve > >> drwxr-xr-x.?? 2 roo...

On 12/23/2015 11:12 PM, Ofer Hasson wrote: > [root at web-devel-local-1 ~]# /usr/lib/systemd/systemd-sysctl > [root at web-devel-local-1 ~]# cat /proc/sys/vm/swappiness > 10 So... you know that it works when you run it from a root shell, but not during boot. Is the file labeled properly? Anything in audit.log?

CentUS 7.4 >From sealert: SELinux is preventing /usr/sbin/sshd from read access on the file /etc/ssh/moduli. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /etc/ssh/moduli default label should be etc_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/ssh/moduli <...> Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /etc/ssh/moduli [ file ] Sour...

...n''t apply partial context to unlabeled file /etc/puppet ; change from absent to object_r failed: Execution of ''/usr/bin/chcon -h -r object_r /etc/puppet'' returned 1: /usr/bin/chcon: can''t apply partial context to unlabeled file /etc/puppet ; change from absent to etc_t failed: Execution of ''/usr/bin/chcon -h -t etc_t /etc/puppet'' returned 1: /usr/bin/chcon: can''t apply partial context to unlabeled file /etc/puppet ; change from absent to s0 failed: Execution of ''/usr/bin/chcon -h -l s0 /etc/puppet'' returned 1: /usr/bin...

...roblem is announced at the desktop then you may also find it useful to check for this: # grep setroubleshoot /var/log/messages In which case you may see something like this: Dec 17 14:13:24 inet01 setroubleshoot: SELinux is preventing /usr/sbin/httpd (httpd_t) "write" to virtual.d (etc_t). For complete SELinux messages. run sealert -l 15618e2e-044c-4c4c-b3fc-ec1eba554d02 In this case you can follow the suggestion given in the log message and run sealert: # sealert -l 15618e2e-044c-4c4c-b3fc-ec1eba554d02 Summary SELinux is preventing /usr/sbin/httpd (httpd_t) "write&q...

...assonofer at gmail.com> > ?: "centos" <centos at centos.org> > Envoy?: Jeudi 24 D?cembre 2015 11:36:00 > Objet: Re: [CentOS] systemd-sysctl not running on boot > [root at web-devel-local-1 ~]# ll -Z /etc/ | grep sysctl > drwxr-xr-x. root root system_u:object_r:etc_t:s0 sysctl.d > > [root at web-devel-local-1 ~]# ll -Z /etc/sysctl.d/ > -rw-r--r--. root root unconfined_u:object_r:system_conf_t:s0 sysctl.conf > Is there a relationship with the new symlink created by the upgrade in my servers ? # ls -l /etc/sysctl.d/ total 0 lrwxrwxrwx. 1 roo...

...read these config files? Normally, sure - but a malicious developer (or attacker) will do. So, I'm evaluating different approaches to secure our platform. Its possible to limit fs access in PHP but this comes with a massive performance penalty. Well, I do not want to discuss that all "etc_t" files can be read but why sysctl.conf with "system_conf_t" type can be read where it shouldn't?? Any pointer would be greatly appreciated. -- LF

...all_if( rawsox_t ); >> #corenet_raw_sendrecv_all_nodes( rawsox_t ); >> >> require { >> type lib_t; >> type ld_so_t; >> type ld_so_cache_t; >> type usr_t; >> type devpts_t; >> type rawsox_t; >> type etc_t; >> class lnk_file read; >> class dir search; >> class file { read getattr execute }; >> class chr_file { read write getattr }; >> class rawip_socket create; >> class capability net_raw; >> } >> >> #============...

...ill. Your best bet on CentOS-7 is to create a new file in /etc/sysctl.d/ called something like 99-postgres.conf and put youjr mods in there. That way it will never change. Also .. verify all the files in /etc/sysctl.d/ and /etc/sysctl.conf are set to this label for selinux: unconfined_u:object_r:etc_t:s0 See this for labeling: red.ht/1ooTpiI But, /etc/sysctl.conf should still work in centos-7. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.ce...

> The easy answer is yes .. glibc requires so many things to be restarted, > that is the best bet. Or certainly the easiest. > > Note: in CentOS 7, there is also a kernel update which is rated as > Important .. so you should boot to that anyway: > https://lists.centos.org/pipermail/centos-announce/2016-February/021705.html > > Here is a good link to figure out what to

...y, sure - but a malicious developer (or attacker) will do. So, I'm evaluating different >> approaches to secure our platform. Its possible to limit fs access in PHP but this comes with >> a massive performance penalty. >> >> Well, I do not want to discuss that all "etc_t" files can be read but why >> sysctl.conf with "system_conf_t" type can be read where it shouldn't?? >> >> Any pointer would be greatly appreciated. >> > > We allow apache and all domains to read all of what we define as base_ro_file_type types. &...

Hello, I am building a new server on CentOS 7 and the global sieve filter can not be loaded. The debug shows: Nov? 9 15:23:09 mail dovecot: lmtp(11182, gao at mydomain.com): Debug: sieve: Pigeonhole version 0.4.2 initializing Nov? 9 15:23:09 mail dovecot: lmtp(11182, gao at mydomain.com): Debug: sieve: include: sieve_global_dir is not set; it is currently not possible to include `:global'