search for: httpd_t

...und some documentation on making rules to allow it however mine won't load. This is the policy I found via this website, http://sandcat.nl/~stijn/2012/01/20/selinux-passenger-and-puppet-oh-my/comment-page-1/ . module puppet_passenger 1.7; require { type bin_t; type devpts_t; type httpd_t; type passenger_t; type port_t; type proc_net_t; class process { getattr siginh setexec sigchld noatsecure transition rlimitinh }; class unix_stream_socket { getattr accept read write }; class capability { sys_resource sys_ptrace }; class file { entrypoint open create r...

...ll of the errors in the audit log: module local_postfix 1.0; require { type postfix_etc_t; type home_root_t; type apmd_t; type setrans_t; type port_t; type etc_mail_t; type snmpd_t; type tmp_t; type dovecot_deliver_t; type postfix_smtp_t; type nfs_t; type var_run_t; type usr_t; type httpd_t; type audisp_t; type postfix_cleanup_t; type inetd_t; type portmap_t; type postfix_pickup_t; type hald_t; type getty_t; type avahi_t; type etc_t; type sysctl_kernel_t; type unconfined_t; type init_t; type auditd_t; type lib_t; type dovecot_auth_t; type syslogd_t; type hostname_exec...

On 09/09/2018 07:19 AM, Daniel Walsh wrote: > sesearch -A -s httpd_t -t system_conf_t -p read > > If you feel that these files should not be part of the base_ro_files > then we should open that for discussion. I think the question was how users would know that the policy allowed access, as he was printing rules affecting httpd_t's file read access,...

...pe/attribute httpd_log_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! semodule -r awstats semodule -r apache libsepol.print_missing_requirements: bugzilla's global requirements were not met: type/attribute httpd_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! semodule -r bugzilla semodule -r apache libsepol.print_missing_requirements: cobbler's global requirements were not met: type/attribute httpd_t (No such file or...

Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: > > On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >> Any SElinux expert here - briefly: >> >> # getenforce >> Enforcing >> >> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >> <no output> >> >> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t >> <no output> >> >> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf >> -rw-r--r--. root root system_u:object_r:syslog_conf_...

...e suggestion, setsebool -P use_nfs_home_dirs=1. But I still can't start httpd. Not sure what to make of the audit log: type=AVC msg=audit(1329395502.678:61926): avc: denied { search } for pid=25674 comm="httpd" name="" dev=0:23 ino=3471615 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1329395502.678:61926): arch=c000003e syscall=4 success=no exit=-13 a0=7fef342bc080 a1=7fffaf747370 a2=7fffaf747370 a3=7fef30c65c30 items=0 ppid=25673 pid=25674 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty...

...really supposed to get easier over time? :) Now my audit.log file shows that SELinux is blocking my cgi script, index.cgi (which is what's actually served when the user visits the front page of one of our proxy sites like sugarsurfer.com) from having '"read write" to socket (httpd_t)'. I have no idea what that means, except that I thought that cgi scripts were supposed to be able to write to stdout so that the web server could send the data via a socket connection to the end user's browser, so I don't know why a CGI script would be blocked from writing to a so...

Hi. I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled, and audit.log / audit2allow tell me I need to add the local policy: #============= httpd_t ============== allow httpd_t unconfined_t:shm { unix_read unix_write }; which I think will allow the httpd access to read and write from shared memory? Is that right? What are the risks involved in opening this? I notice it is denied by the default policy. To simplify configuration management,...

Hi, Some time ago I wrote an introductory article about SELinux on my blog. I'm currently updating it for my new blog, and I found a curious change in SELinux policy. Here goes. For demonstration purposes, I'm using some static webpages, more exactly the default pages found in /usr/share/httpd/noindex, which I simply copied over to /var/www/html. As a first practical example, I'm

Any SElinux expert here - briefly: # getenforce Enforcing # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t <no output> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t <no output> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf -rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf -rw-r--r--. root root system_u:object_r...

...required. Write access may be required later. type=AVC msg=audit(1506168999.456:2350): avc: denied { getattr } for pid=28956 comm="lighttpd" path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1506168999.456:2350): arch=c000003e syscall=4 success=yes exit=0 a0=55eea817ec80 a1=7ffe668ef300 a2=7ffe668ef300 a3=7ffe668ef270 items=0 ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996...

...schrieb Daniel Walsh <dwalsh at redhat.com>: >>> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >>>> Any SElinux expert here - briefly: >>>> >>>> # getenforce >>>> Enforcing >>>> >>>> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >>>> <no output> >>>> >>>> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t >>>> <no output> >>>> >>>> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf >>>&...

...ke python scripts as the user under which the application runs (NO root access).? Is there any reason why sudo would would require sys_ptrace access for this?? I only get this violation intermittenly, and not with every call to sudo.? Here's the violation: Summary: SELinux is preventing sudo (httpd_t) "sys_ptrace" to <Unknown> (httpd_t). Detailed Description: SELinux denied access requested by sudo. It is not expected that this access is required by sudo and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the appli...

...file: targeted I can #setsebool -P httpd_disable_trans on and httpd starts - but there's zero enforcing now as I understand it. Further digging & I get to: # cat /var/log/audit/audit.log | audit2allow -m local module local 1.0; require { type portmap_t; type httpd_t; type file_t; class lnk_file read; class file { getattr read execute }; } #============= httpd_t ============== allow httpd_t file_t:file { read getattr execute }; allow httpd_t file_t:lnk_file read; #============= portmap_t ============== allow portmap_t file_t:file {...

...eems to be causing issues when the httpd process is attempting to use Fping? Here is what I know so far : Output from "audit2why -a" : --------------- type=AVC msg=audit(1414265994.125:6744): avc: denied { create } for pid=8968 comm="fping" scontext=unconfined_u:system_r:httpd_t:s0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. --------------- Which does seem to confirm that something is wrong between httpd and fping. I then ran "audit2al...

Hi Leon, I don't have access to a CentOS 6.10 system handy, but it looks like a policy issue. If I take you're ausearch output and pipe it to audit2allow on my CentOS 7.6 system, I get the following: #============= httpd_t ============== #!!!! This avc is allowed in the current policy allow httpd_t httpd_sys_script_t:process signull; Noting that on my 7.6 system with selinux enforcing with selinux policy packages at version 3.13.1-229, it notes that your denial would not happen. If you don't have it installed...

...og/secure -------------------- Nov 1 15:06:58 host httpd: PAM audit_open() failed: Permission denied This is the entry from the audit log... ---------------- type=AVC msg=audit(1320178016.209:919): avc: denied { create } for pid=22689 comm="unix_chkpwd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1320178016.209:919): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=7fff23386470 items=0 ppid=20102 pid=22689 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty...

Hello, Running httpd-2.2.3-43.el5.centos.3 on CentOS release 5.5 (Final), I have : $ ps -Ze LABEL PID TTY TIME CMD user_u:system_r:httpd_t 12833 ? 00:00:00 httpd Is it normal for httpd to have this context (user_u:system_r:httpd_t) ? I was expecting system_u:system_r:httpd_t. And if it is not normal, is it because I have restarted httpd by hand (service httpd restart), or because I have broken something in my configur...

...: > Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: >> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >>> Any SElinux expert here - briefly: >>> >>> # getenforce >>> Enforcing >>> >>> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >>> <no output> >>> >>> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t >>> <no output> >>> >>> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf >>> -rw-r--r--. root root syst...

...from Testing repository, to Cent OS 5.2 x86_64, and I am hitting an SE Linux denial - the httpd cannot talk to the BackupPC socket: type=AVC msg=audit(07/31/2008 17:18:53.623:410) : avc: denied { connectto } for pid=11767 comm=httpd path=/var/log/BackupPC/BackupPC.sock scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=AVC msg=audit(07/31/2008 17:18:53.623:410) : avc: denied { write } for pid=11767 comm=httpd name=BackupPC.sock dev=md0 ino=39813253 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:var_log_t:s0 tclass=sock_file...