search for: httpd_sys_script_t

Hello, I'm using the targeted policy. PHP's mail() function fails because of selinux. audit(1149662369.454:2): avc: denied { setgid } for pid=18085 comm="sendmail" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability When i turn to permisive mode: audit(1149668677.105:12): avc: denied { setuid } for pid=29159 comm="sendmail" capability=7 scontext=root:system_r:ht tpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability...

...t=EPERM(Operation not permitted) a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=sendmail exe=/usr/sbin/exim subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied { setgid } for pid=19418 comm=sendmail capability=setgid scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability type=SYSCALL msg=audit(09/15/2017 12:12:14.5...

...5432? Is your database installed and up and running? Do you have the correct username and password selected in localconfig? And there is an AVC denial as well: type=AVC msg=audit(1225832104.970:405): avc: denied { connect } for pid=30831 comm="index.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket Here is the module I added: module local 1.0; require { type httpd_sys_script_t; class tcp_socket setopt; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t self:tcp_socket setopt; [roo...

Hello, I am trying to create a custom policy, but with no succes : $ cat <<EOF> foo.te module local 1.0; require { type httpd_sys_script_exec_t; type httpd_sys_script_t; class lnk_file read; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read; EOF $ checkmodule -M -m -o foo.mod foo.te checkmodule: loading policy configuration from foo.te checkmodule: policy configuration loaded checkmodule:...

...t=EPERM(Operation not permitted) a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=sendmail exe=/usr/sbin/exim subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) >> type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied { setgid } for pid=19418 comm=sendmail capability=setgid scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability >> >> type=SYSCALL msg=au...

...d) > a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 > pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root > fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) > ses=unset comm=sendmail exe=/usr/sbin/exim > subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) > type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied { > setgid } for pid=19418 comm=sendmail capability=setgid > scontext=system_u:system_r:httpd_sys_script_t:s0 > tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability > > type=SYSCALL...

...course tcp sockets, so why would it say udp? The only time one of my cgi scripts might use udp would be if it were doing a hostname lookup via dns, but the index.cgi script doesn't do that at any point. What would the pros do at this point? *** Summary: SELinux is preventing index.cgi (httpd_sys_script_t) "read write" to socket (httpd_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by index.cgi. It is not expected that this access is required by index.cgi and this a...

...don't have access to a CentOS 6.10 system handy, but it looks like a policy issue. If I take you're ausearch output and pipe it to audit2allow on my CentOS 7.6 system, I get the following: #============= httpd_t ============== #!!!! This avc is allowed in the current policy allow httpd_t httpd_sys_script_t:process signull; Noting that on my 7.6 system with selinux enforcing with selinux policy packages at version 3.13.1-229, it notes that your denial would not happen. If you don't have it installed policycoreutils-python provides the audit2allow and audit2why binaries which can help you generat...

On 09/20/2017 07:19 AM, hw wrote: > hw wrote: >> >> Hi, >> >> how do I allow CGI programs to print (using 'lpr -P some-printer >> some-file.pdf') when >> lighttpd is being used for a web server? >> >> When selinux is permissive, the printer prints; when it?s enforcing, >> the printer >> does not print, and I?m getting the log

...base/html/imagetemp(/.*)? system_u:object_r:http_image_temp_t /var/www/sheep/html/imagetemp(/.*)? system_u:object_r:http_image_temp_t And my local.te contains (selected portions only for now): module local 1.1; require { ... <various normal requires> ... } type blast_req_t,file_type; allow httpd_sys_script_t blast_req_t:file { create getattr write}; allow httpd_sys_script_t blast_req_t:dir { read getattr lock search ioctl add_name write }; ...etc So, looks like I need to do something else, possibly in my local.fc. However, my google-fu is not strong enough to find any actual examples of successful cus...

Hi all, I'm trying to get Cacti installed on my CentOS 4.3 x86_64 box. I've got all of required packages installed, and created database file, and followed all the instructions in install manual. However, when I get login screen and use admin for username/password, it simply redirects me straight back to login screen. Looking at user_log table, the authentication was

...s=4294967295 comm="httpd" exe="/opt/rh/httpd24/root/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1547733474.941:28): avc: denied { signull } for pid=1439 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process I see a lot of such entries but I don't see any service misbehaviour. All scripts are running fine. Any hints how to classify this AVC; "Denied Signull"? -- LF

...is more or less a quarantine site for Rails apps. I am suspicious that Passenger is the cause because I see these reports as well: type=AVC msg=audit(1338217386.027:1839): avc: denied { read } for pid=4612 comm="ps" name="stat" dev=proc ino=11982 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:restorecond_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. I wonder if Passenger is tracking system processes via ps to mana...