search for: getsebool

...about 45 seconds per execution to process the existing policy and re-commit to disk. I'd like a simple ability to put an unless in the execution of setsebool, to key off whether its necessary -- to reduce a SELinux puppet run from 250 seconds to about 60. Unfortunately, in the current format, getsebool has defeated me. Would it be possible to have getsebool extended, so something like getsebool -b $variablename would return true or false as the exit code?

On 04/12/2016 02:31 PM, James Hogarth wrote: > For example: > > unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on > &> /dev/null" D'oh! That's what I get for overcomplicating the whole darn thing. :) > > Incidentally one nice trick if you're dealing with potentially changing > multiple booleans and the policy compile time is to e...

...n to process the > existing policy and re-commit to disk. > > I'd like a simple ability to put an unless in the execution of > setsebool, to key off whether its necessary -- to reduce a SELinux > puppet run from 250 seconds to about 60. Unfortunately, in the current > format, getsebool has defeated me. > > Would it be possible to have getsebool extended, so something like > getsebool -b $variablename would return true or false as the exit code? > > I'd start with a feature request upstream, or in Fedora, and then request a backport of that into RHEL after it i...

On Tue, 12 Apr 2016, John Jasen wrote: > On 04/12/2016 02:31 PM, James Hogarth wrote: >> For example: >> >> unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on >> &> /dev/null" > > D'oh! That's what I get for overcomplicating the whole darn thing. :) >> >> Incidentally one nice trick if you're dealing with potentially changing >> multiple booleans and the po...

...llow CGI programs to print (using 'lpr -P some-printer some-file.pdf') when lighttpd is being used for a web server? When selinux is permissive, the printer prints; when it?s enforcing, the printer does not print, and I?m getting the log message '/bin/lpr: Permission denied'. 'getsebool -a | grep http' doesn?t show any boolean I could make out to be responsible for this. Any idea what I need to do/change to allow printing without disabling selinux?

...ssume so. As a test you could try turning this off and see if your problem goes away. setenforce 0 If SELinux is the issue then I strongly advice that you use existing SELinux Booleans or create your own local policy rather than turning SELinux off, or leaving your system in permissive mode. # getsebool -a | grep chroot ssh_chroot_full_access --> off ssh_chroot_manage_apache_content --> off ssh_chroot_rw_homedirs --> off https://wiki.centos.org/HowTos/SELinux may also help. If it is SELinux related I would also look at installing setroubleshoot and setroubleshoot-server. I hope this h...

...ntext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket Was caused by: The boolean allow_ypbind was set incorrectly. Description: Allow system to run with NIS Allow access by executing: # setsebool -P allow_ypbind 1 The weirdness is that when I check allow_ypbind, it?s already on: # getsebool allow_ypbind allow_ypbind --> on # Does anyone with more experience with SELinux than me have any idea why this is happening? --- Mike VanHorn Senior Computer Systems Administrator College of Engineering and Computer Science Wright State University 265 Russ Engineering Center 937-775-5157 mic...

Dear All, Currently i have using CentOS4.4 and Kernel Version is 2.6.9-42.EL. I have disabled selinux on kickstart installation and command is *selinux --disabled * Can any one help me or guide me to 1. Enable the selinux 2. Selinux Customize my own policy Regards -S.Balaji

...e=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so # grep local /etc/vsftpd/vsftpd.conf local_enable=YES local_umask=022 chroot_local_user=YES # getsebool -a | grep ftp allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off allow_tftp_anon_write --> off ftp_home_dir --> on ftpd_disable_trans --> off ftpd_is_daemon --> on httpd_enable_ftp_server --> off tftpd_disab...

...df') when >> lighttpd is being used for a web server? >> >> When selinux is permissive, the printer prints; when it?s enforcing, >> the printer >> does not print, and I?m getting the log message '/bin/lpr: Permission >> denied'. >> >> 'getsebool -a | grep http' doesn?t show any boolean I could make out >> to be responsible >> for this. >> >> Any idea what I need to do/change to allow printing without disabling >> selinux? >> _______________________________________________ >> CentOS mailing list...

...Yeah, ssh -Y can be such fun with a headless system. _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos Sorry, I?m a bit late to this thread so I don?t know if anyone has mentioned this already. What does $ getsebool httpd_enable_homedirs tell you. If it says ?off? you probably want to do $ setsebool -P httpd_enable_homedirs on Greg

...system. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > > Sorry, I?m a bit late to this thread so I don?t know if anyone has mentioned this already. What does > > $ getsebool httpd_enable_homedirs > > # getsebool httpd_enable_homedirs httpd_enable_homedirs --> on This was mentioned earlier. One thing I did not mention was when I ran the set command, I also got back the following which I have gotten on all selunix changes: # setsebool -P httpd_enable_homedi...

...39; included for syslog logging dracut module 'dmsquash-live' depends on 'img-lib', which can't be installed dracut module 'dmsquash-live' cannot be found or installed. mkinitrd failed warning: %posttrans(kernel-core-4.0.4-301.fc22.i686) scriptlet failed, exit status 1 getsebool: SELinux is disabled success The .iso builds however the boot menu just returns to itself and I never get to the p2v menu. What am I doing incorrectly to build the ISO? Thanks , Marty

I lost my harddrive on my little personal webserver that only serves some private files from my userdir. So I am trying to build this from notes on a new Centos7.3 installation (well really Centos7.3-arm, but supposedly same sources). Right now the server is running on a test subnet, not the production, but I have set up the hostname and my standard httpd edits. I have enabled userdir and

...tl enable smb.service Failed to execute operation: Access denied [root at centos-gig ~]# setenforce 0 [root at centos-gig ~]# systemctl enable smb.service Failed to execute operation: No such file or directory Have tried things like : chcon -t samba_share_t /home/amckay Also took the output from: getsebool -a | grep samba and set all them to "on" Stripped my config down to the most basic. What am I missing? # Global parameters [global] netbios name = centos security = USER idmap config * : backend = tdb [homes] comment = Home Directories browseable = No inherit acls = Yes read only =...

At work I'm used to tools like eTrust Access Control (aka SEOS). eTrust takes away the ability to manage the eTrust config from root and puts it in the hands of "security admin". So there's a good separation of duties; security admin control the security ruleset, but are limited by the OS permissions (so even if they granted themselves permission to modify /etc/shadow, the

...system. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > > Sorry, I?m a bit late to this thread so I don?t know if anyone has mentioned this already. What does > > $ getsebool httpd_enable_homedirs > > # getsebool httpd_enable_homedirs httpd_enable_homedirs --> on This was mentioned earlier. One thing I did not mention was when I ran the set command, I also got back the following which I have gotten on all selunix changes: # setsebool -P httpd_enable_homedi...

Hello, I configured libvirtd with the sanlock lock manager plugin: # rpm -qa | egrep "libvirt-0|sanlock-[01]" libvirt-lock-sanlock-0.9.4-23.el6_2.4.x86_64 sanlock-1.8-2.el6.x86_64 libvirt-0.9.4-23.el6_2.4.x86_64 # egrep -v "^#|^$" /etc/libvirt/qemu-sanlock.conf auto_disk_leases = 1 disk_lease_dir = "/var/lib/libvirt/sanlock" host_id = 4 # mount | grep sanlock

.../www.postfix.org Summary : Postfix Mail Transport Agent Description : Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), TLS Re: SELinux. Do I just build a local policy or is there some boolean setting needed to handle this? I could not find one if there is but. . . getsebool -a | grep postfix allow_postfix_local_write_mail_spool --> on -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241...

I can remove the /var/locl/subsys/winbindd file to clear the subsys locked message but this does not chnage the winbind crash problem. I originally noticed this problem on 20a and thought that 20b had a fix for the winbind crash. Any clues? I am running RH ES 4.0 64 bit with samba packages downlaoded from enterprisesamba.com. PC