search for: execute_no_tran

Displaying 20 results from an estimated 25 matches for "execute_no_tran".

Did you mean: execute_no_trans
2019 Aug 06
2
Dovecot replication and userdb "noreplicate".
...replication over SSH I had to add the following module: >> >> module selinux-dovecot-replication-ssh 1.0; >> >> require { >> type ssh_exec_t; >> type ssh_home_t; >> type dovecot_t; >> class file { open read execute execute_no_trans }; >> class dir { getattr search }; >> } >> >> #============= dovecot_t ============== >> allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; >> allow dovecot_t ssh_home_t:dir { getattr search }; >> allow dovecot_t ssh_home_t:f...
2019 Jun 24
2
Dovecot replication and userdb "noreplicate".
...ed, see https://linux.die.net/man/8/dovecot_selinux > > Aki For replication over SSH I had to add the following module: module selinux-dovecot-replication-ssh 1.0; require { type ssh_exec_t; type ssh_home_t; type dovecot_t; class file { open read execute execute_no_trans }; class dir { getattr search }; } #============= dovecot_t ============== allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; allow dovecot_t ssh_home_t:dir { getattr search }; allow dovecot_t ssh_home_t:file { open read }; ssh_exec_t to allow Dovecot to use ssh ex...
2009 Apr 15
2
SELinux and "i_stream_read() failed: Permission denied"
...postfix_pipe_t; type sendmail_t; type sendmail_exec_t; type src_t; type tmp_t; type usr_t; type user_home_dir_t; type user_home_t; type var_log_t; class capability { sys_nice chown }; class file { append create execute execute_no_trans \ getattr ioctl link lock read rename setattr write unlink }; class dir { add_name getattr create read remove_name \ rename write search setattr rmdir }; class fifo_file { getattr write }; class filesystem getattr; class sock_file write;...
2019 Aug 06
0
Dovecot replication and userdb "noreplicate".
...;> >> Aki > > For replication over SSH I had to add the following module: > > module selinux-dovecot-replication-ssh 1.0; > > require { > type ssh_exec_t; > type ssh_home_t; > type dovecot_t; > class file { open read execute execute_no_trans }; > class dir { getattr search }; > } > > #============= dovecot_t ============== > allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; > allow dovecot_t ssh_home_t:dir { getattr search }; > allow dovecot_t ssh_home_t:file { open read }; > >...
2015 May 29
2
CentOS 7 selinux policy bug
...te access on the file /usr/bin/bash.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/uname from execute_no_trans access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:47 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/mailx.#012#012***** <...> I did do an ll =Z /usr/bin, and everything looks correct (system_u:object_r:bin_t:s0...
2018 Jun 29
9
v2.3.2 released
https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as well as a bunch of other fixes (mainly for v2.3-only bugs). Binary packages are already in https://repo.dovecot.org/ * old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening
2018 Jun 29
9
v2.3.2 released
https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as well as a bunch of other fixes (mainly for v2.3-only bugs). Binary packages are already in https://repo.dovecot.org/ * old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening
2015 Mar 30
1
Fail2Ban Centos 7 is there a trick to making it work?
On Tue, 2015-03-10 at 14:43 +0100, Andrea Dell'Amico wrote: > > #============= logrotate_t ============== > allow logrotate_t fail2ban_client_exec_t:file { ioctl read execute > execute_no_trans open }; > Looks like this was already fixed in 'selinux-policy'. See https://bugzilla.redhat.com/show_bug.cgi?id=1114821 John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK
2017 Jan 03
2
puppetmaster after updating to 7.3
...ating to 7.3? Looks like a SELinux issue, I couldn't find an existing bug report, but, seems like I shouldn't be the first one to trip on this issue. # grep puppet audit.log | audit2allow #============= puppetmaster_t ============== allow puppetmaster_t puppetagent_exec_t:file { execute execute_no_trans getattr ioctl open read }; selinux-policy-3.13.1-102.el7_3.7.noarch selinux-policy-targeted-3.13.1-102.el7_3.7.noarch puppet-server-3.6.2-3.el7.noarch (from EPEL) puppet-3.6.2-3.el7.noarch (from EPEL)
2007 Jul 19
1
semodule - global requirements not met
...og that is relevant to all the actions that would be denied. - do 'cat audit.log | audit2allow -M amavis' to generate the module - amavis.te looks like: module amavis 1.0; require { class dir { add_name getattr read remove_name search write }; class file { create execute execute_no_trans getattr lock read rename unlink write }; class filesystem getattr; class lnk_file read; type amavis_t; type fs_t; type mqueue_spool_t; type sbin_t; type sendmail_exec_t; type var_lib_t; role system_r; }; allow amavis_t fs_t:f...
2015 Mar 10
2
Fail2Ban Centos 7 is there a trick to making it work?
On Mon, March 9, 2015 13:11, John Plemons wrote: > Been working on fail2ban, and trying to make it work with plain Jane > install of Centos 7 > > Machine is a HP running 2 Quad core Xeons, 16 gig or ram and 1 plus TB > of disk space. Very generic and vanilla. > > Current available epel repo version is fail2ban-0.9.1 > > Looking at the log file, fail2ban starts and stops
2012 Jun 15
1
Puppet + Passenger SELinux issues
...pe getty_t; type postfix_qmgr_t; type ntpd_t; class sock_file { write unlink open }; class capability { sys_resource sys_ptrace }; class process setexec; class dir { write getattr read create search add_name }; class file { execute read create execute_no_trans write open append }; } #============= httpd_t ============== allow httpd_t apmd_t:dir { getattr search }; allow httpd_t apmd_t:file { read open }; allow httpd_t auditd_t:dir { getattr search }; allow httpd_t auditd_t:file { read open }; allow httpd_t crond_t:dir { getattr search }; allow httpd_t...
2015 Mar 10
0
Fail2Ban Centos 7 is there a trick to making it work?
...orking right. This is the policy I add to the CentOS 7 machines: module fail2ban-journal-sepol-new 1.0; require { type fail2ban_client_exec_t; type logrotate_t; type fail2ban_t; type syslogd_var_run_t; class dir read; class file { ioctl read execute execute_no_trans open getattr }; } #============= fail2ban_t ============== #!!!! This avc is allowed in the current policy allow fail2ban_t syslogd_var_run_t:dir read; #!!!! This avc is allowed in the current policy allow fail2ban_t syslogd_var_run_t:file { read getattr open }; #============= logrotate_t ====...
2015 May 29
1
CentOS 7 selinux policy bug
...usr/bin/bash.#012#012***** <...> May 28 17:02:45 <servername> python: > SELinux is preventing /usr/bin/bash from execute access on the file > /usr/bin/uname.#012#012***** <...> May 28 > 17:02:45 <servername> python: SELinux is preventing /usr/bin/uname > from execute_no_trans access on the file /usr/bin/uname.#012#012***** > <...> May 28 17:02:47 <servername> python: SELinux is preventing > /usr/bin/bash from execute access on the file > /usr/bin/mailx.#012#012***** <...> > > I did do an ll =Z /usr/bin, and everything looks correct...
2019 Jun 22
2
Dovecot replication and userdb "noreplicate".
Hello! I finally took the time and spent two days to set up replication for my server and now I have a question or two. I initially set noreplicate userdb field to 1 for all but a test user, but I could still see in the logs that all mailboxes were trying to connect to the other server via SSH. Is that normal? Jun 22 16:55:22 host dovecot: dsync-local(user at host.ee)<>: Error: Remote
2018 Sep 10
1
Type enforcement / mechanism not clear
...d_t -t system_conf_t -p read > allow domain base_ro_file_type:dir { getattr ioctl lock open read search }; > allow domain base_ro_file_type:file { getattr ioctl lock open read }; > allow domain base_ro_file_type:lnk_file { getattr read }; > allow httpd_t base_ro_file_type:file { execute execute_no_trans getattr ioctl lock map open read }; > > > The base_ro_file_types are files executables that we consider part of the OS. So reading them should not reveal secrets. Thanks for the pointer. Puuh, this gets very layered but the big picture on the other side gets more clear So, to get...
2015 Jan 19
2
CentOS-6.6 Fail2Ban and Postfix Selinux AVCs
I am seeing these in the log of one of our off-site NX hosts running CentOS-6.6. type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket Was caused by: Missing type enforcement (TE) allow rule. You can use
2009 Oct 04
2
deliver stopped working
...e udev_t; type clamd_t; type mysqld_port_t; type initrc_var_run_t; type var_t; type postfix_qmgr_t; type postfix_pipe_t; type crond_t; class process ptrace; class unix_stream_socket connectto; class tcp_socket { name_bind name_connect }; class file { rename execute read lock create ioctl execute_no_trans write getattr link unlink }; class sock_file { setattr create write getattr unlink }; class lnk_file { read getattr }; class dir { search setattr read create write getattr remove_name add_name }; } #============= clamd_t ============== allow clamd_t proc_t:file { read getattr }; allow clamd_t...
2018 Sep 09
3
Type enforcement / mechanism not clear
Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: > > On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >> Any SElinux expert here - briefly: >> >> # getenforce >> Enforcing >> >> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >> <no output> >> >> # sesearch -ACR -s httpd_t -c file
2015 Jan 19
0
CentOS-6.6 Fail2Ban and Postfix Selinux AVCs
...ars that the starting date of these errors corresponds to the day on which we first began to jail SSH attempts on that host. We eventually ended up with a custom policy that looks like this: #============= fail2ban_t ============== allow fail2ban_t ldconfig_exec_t:file { read execute open getattr execute_no_trans }; allow fail2ban_t insmod_exec_t:file { read execute open }; allow fail2ban_t self:capability { net_admin net_raw }; allow fail2ban_t self:rawip_socket { getopt create setopt }; allow fail2ban_t sysctl_kernel_t:dir search; allow fail2ban_t sysctl_modprobe_t:file read; allow system_mail_t inotif...