search for: execute_no_trans

...replication over SSH I had to add the following module: >> >> module selinux-dovecot-replication-ssh 1.0; >> >> require { >> type ssh_exec_t; >> type ssh_home_t; >> type dovecot_t; >> class file { open read execute execute_no_trans }; >> class dir { getattr search }; >> } >> >> #============= dovecot_t ============== >> allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; >> allow dovecot_t ssh_home_t:dir { getattr search }; >> allow dovecot_t ssh_home_t:fi...

...ed, see https://linux.die.net/man/8/dovecot_selinux > > Aki For replication over SSH I had to add the following module: module selinux-dovecot-replication-ssh 1.0; require { type ssh_exec_t; type ssh_home_t; type dovecot_t; class file { open read execute execute_no_trans }; class dir { getattr search }; } #============= dovecot_t ============== allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; allow dovecot_t ssh_home_t:dir { getattr search }; allow dovecot_t ssh_home_t:file { open read }; ssh_exec_t to allow Dovecot to use ssh exe...

...postfix_pipe_t; type sendmail_t; type sendmail_exec_t; type src_t; type tmp_t; type usr_t; type user_home_dir_t; type user_home_t; type var_log_t; class capability { sys_nice chown }; class file { append create execute execute_no_trans \ getattr ioctl link lock read rename setattr write unlink }; class dir { add_name getattr create read remove_name \ rename write search setattr rmdir }; class fifo_file { getattr write }; class filesystem getattr; class sock_file write; c...

...;> >> Aki > > For replication over SSH I had to add the following module: > > module selinux-dovecot-replication-ssh 1.0; > > require { > type ssh_exec_t; > type ssh_home_t; > type dovecot_t; > class file { open read execute execute_no_trans }; > class dir { getattr search }; > } > > #============= dovecot_t ============== > allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; > allow dovecot_t ssh_home_t:dir { getattr search }; > allow dovecot_t ssh_home_t:file { open read }; > >...

...te access on the file /usr/bin/bash.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/uname from execute_no_trans access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:47 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/mailx.#012#012***** <...> I did do an ll =Z /usr/bin, and everything looks correct (system_u:object_r:bin_t:s0)...

https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as well as a bunch of other fixes (mainly for v2.3-only bugs). Binary packages are already in https://repo.dovecot.org/ * old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening

https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as well as a bunch of other fixes (mainly for v2.3-only bugs). Binary packages are already in https://repo.dovecot.org/ * old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening

On Tue, 2015-03-10 at 14:43 +0100, Andrea Dell'Amico wrote: > > #============= logrotate_t ============== > allow logrotate_t fail2ban_client_exec_t:file { ioctl read execute > execute_no_trans open }; > Looks like this was already fixed in 'selinux-policy'. See https://bugzilla.redhat.com/show_bug.cgi?id=1114821 John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK

...ating to 7.3? Looks like a SELinux issue, I couldn't find an existing bug report, but, seems like I shouldn't be the first one to trip on this issue. # grep puppet audit.log | audit2allow #============= puppetmaster_t ============== allow puppetmaster_t puppetagent_exec_t:file { execute execute_no_trans getattr ioctl open read }; selinux-policy-3.13.1-102.el7_3.7.noarch selinux-policy-targeted-3.13.1-102.el7_3.7.noarch puppet-server-3.6.2-3.el7.noarch (from EPEL) puppet-3.6.2-3.el7.noarch (from EPEL)

...og that is relevant to all the actions that would be denied. - do 'cat audit.log | audit2allow -M amavis' to generate the module - amavis.te looks like: module amavis 1.0; require { class dir { add_name getattr read remove_name search write }; class file { create execute execute_no_trans getattr lock read rename unlink write }; class filesystem getattr; class lnk_file read; type amavis_t; type fs_t; type mqueue_spool_t; type sbin_t; type sendmail_exec_t; type var_lib_t; role system_r; }; allow amavis_t fs_t:fi...

On Mon, March 9, 2015 13:11, John Plemons wrote: > Been working on fail2ban, and trying to make it work with plain Jane > install of Centos 7 > > Machine is a HP running 2 Quad core Xeons, 16 gig or ram and 1 plus TB > of disk space. Very generic and vanilla. > > Current available epel repo version is fail2ban-0.9.1 > > Looking at the log file, fail2ban starts and stops

...pe getty_t; type postfix_qmgr_t; type ntpd_t; class sock_file { write unlink open }; class capability { sys_resource sys_ptrace }; class process setexec; class dir { write getattr read create search add_name }; class file { execute read create execute_no_trans write open append }; } #============= httpd_t ============== allow httpd_t apmd_t:dir { getattr search }; allow httpd_t apmd_t:file { read open }; allow httpd_t auditd_t:dir { getattr search }; allow httpd_t auditd_t:file { read open }; allow httpd_t crond_t:dir { getattr search }; allow httpd_t c...

...orking right. This is the policy I add to the CentOS 7 machines: module fail2ban-journal-sepol-new 1.0; require { type fail2ban_client_exec_t; type logrotate_t; type fail2ban_t; type syslogd_var_run_t; class dir read; class file { ioctl read execute execute_no_trans open getattr }; } #============= fail2ban_t ============== #!!!! This avc is allowed in the current policy allow fail2ban_t syslogd_var_run_t:dir read; #!!!! This avc is allowed in the current policy allow fail2ban_t syslogd_var_run_t:file { read getattr open }; #============= logrotate_t =====...

...usr/bin/bash.#012#012***** <...> May 28 17:02:45 <servername> python: > SELinux is preventing /usr/bin/bash from execute access on the file > /usr/bin/uname.#012#012***** <...> May 28 > 17:02:45 <servername> python: SELinux is preventing /usr/bin/uname > from execute_no_trans access on the file /usr/bin/uname.#012#012***** > <...> May 28 17:02:47 <servername> python: SELinux is preventing > /usr/bin/bash from execute access on the file > /usr/bin/mailx.#012#012***** <...> > > I did do an ll =Z /usr/bin, and everything looks correct...

Hello! I finally took the time and spent two days to set up replication for my server and now I have a question or two. I initially set noreplicate userdb field to 1 for all but a test user, but I could still see in the logs that all mailboxes were trying to connect to the other server via SSH. Is that normal? Jun 22 16:55:22 host dovecot: dsync-local(user at host.ee)<>: Error: Remote

...d_t -t system_conf_t -p read > allow domain base_ro_file_type:dir { getattr ioctl lock open read search }; > allow domain base_ro_file_type:file { getattr ioctl lock open read }; > allow domain base_ro_file_type:lnk_file { getattr read }; > allow httpd_t base_ro_file_type:file { execute execute_no_trans getattr ioctl lock map open read }; > > > The base_ro_file_types are files executables that we consider part of the OS. So reading them should not reveal secrets. Thanks for the pointer. Puuh, this gets very layered but the big picture on the other side gets more clear So, to get...

I am seeing these in the log of one of our off-site NX hosts running CentOS-6.6. type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket Was caused by: Missing type enforcement (TE) allow rule. You can use

...e udev_t; type clamd_t; type mysqld_port_t; type initrc_var_run_t; type var_t; type postfix_qmgr_t; type postfix_pipe_t; type crond_t; class process ptrace; class unix_stream_socket connectto; class tcp_socket { name_bind name_connect }; class file { rename execute read lock create ioctl execute_no_trans write getattr link unlink }; class sock_file { setattr create write getattr unlink }; class lnk_file { read getattr }; class dir { search setattr read create write getattr remove_name add_name }; } #============= clamd_t ============== allow clamd_t proc_t:file { read getattr }; allow clamd_t s...

Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: > > On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >> Any SElinux expert here - briefly: >> >> # getenforce >> Enforcing >> >> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >> <no output> >> >> # sesearch -ACR -s httpd_t -c file

...ars that the starting date of these errors corresponds to the day on which we first began to jail SSH attempts on that host. We eventually ended up with a custom policy that looks like this: #============= fail2ban_t ============== allow fail2ban_t ldconfig_exec_t:file { read execute open getattr execute_no_trans }; allow fail2ban_t insmod_exec_t:file { read execute open }; allow fail2ban_t self:capability { net_admin net_raw }; allow fail2ban_t self:rawip_socket { getopt create setopt }; allow fail2ban_t sysctl_kernel_t:dir search; allow fail2ban_t sysctl_modprobe_t:file read; allow system_mail_t inotify...