Displaying 20 results from an estimated 29 matches for "lnk_file".
2006 Nov 17
1
Problem with SeLinux and syslogd
...logger: [ OK ]
and in dmesg centos report me that:
audit(1163775960.711:5): avc: denied { read } for pid=4325
comm="syslogd" name="libc.so.6" dev=dm-0 ino=4562290
scontext=root:system_r:syslogd_t tcontext=system_u:object_r:file_t
tclass=lnk_file
audit(1163775960.711:6): avc: denied { read } for pid=4325
comm="syslogd" name="libc.so.6" dev=dm-0 ino=4562290
scontext=root:system_r:syslogd_t tcontext=system_u:object_r:file_t
tclass=lnk_file
audit(1163775960.711:7): avc: denied { read } for pid=4325
comm="syslogd&...
2008 Jul 24
1
selinux & httpd & portmap
...ttpd_disable_trans on
and httpd starts - but there's zero enforcing now as I understand it.
Further digging & I get to:
# cat /var/log/audit/audit.log | audit2allow -m local
module local 1.0;
require {
type portmap_t;
type httpd_t;
type file_t;
class lnk_file read;
class file { getattr read execute };
}
#============= httpd_t ==============
allow httpd_t file_t:file { read getattr execute };
allow httpd_t file_t:lnk_file read;
#============= portmap_t ==============
allow portmap_t file_t:file { read getattr execute };
allow portmap_t file_t:...
2011 Jan 17
1
SELinux : semodule_package, magic number does not match
Hello,
I am trying to create a custom policy, but with no succes :
$ cat <<EOF> foo.te
module local 1.0;
require {
type httpd_sys_script_exec_t;
type httpd_sys_script_t;
class lnk_file read;
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read;
EOF
$ checkmodule -M -m -o foo.mod foo.te
checkmodule: loading policy configuration from foo.te
checkmodule: policy configuration loaded
checkmodule: writing binary represen...
2008 Mar 03
1
Unable open raw socket in CentOS 5 - SE Linux and kernel capability interaction?
...cy
# these two didn't help
#corenet_raw_sendrecv_all_if( rawsox_t );
#corenet_raw_sendrecv_all_nodes( rawsox_t );
require {
type lib_t;
type ld_so_t;
type ld_so_cache_t;
type usr_t;
type devpts_t;
type rawsox_t;
type etc_t;
class lnk_file read;
class dir search;
class file { read getattr execute };
class chr_file { read write getattr };
class rawip_socket create;
class capability net_raw;
}
#============= rawsox_t ==============
allow rawsox_t devpts_t:chr_file { read write getattr };
allow rawsox_t...
2008 Aug 26
3
Amavisd Howto
...type amavis_var_lib_t;
type sysctl_kernel_t;
type var_t;
type postfix_smtpd_t;
type initrc_t;
type proc_t;
class unix_stream_socket connectto;
class file { read getattr };
class sock_file write;
class lnk_file { read create unlink getattr };
class udp_socket name_bind;
class dir { read search };
}
#============= amavis_t ==============
allow amavis_t amavis_var_lib_t:lnk_file { read create unlink getattr };
allow amavis_t traceroute_port_t:udp_socket name_bind;
#============= clamd_...
2014 Dec 05
2
Postfix avc (SELinux)
...> #============= clamscan_t ==============
> allow clamscan_t amavis_spool_t:dir read;
In the latest rhel6 policies amavas_t and clamscan_t have been merged
into antivirus_t? Is you selinux-policy up 2 date?
> #============= logwatch_mail_t ==============
> allow logwatch_mail_t usr_t:lnk_file read;
>
> #============= postfix_master_t ==============
> allow postfix_master_t tmp_t:dir read;
>
> #============= postfix_postdrop_t ==============
> allow postfix_postdrop_t tmp_t:dir read;
>
> #============= postfix_showq_t ==============
> allow postfix_showq_t tmp_...
2018 Sep 10
1
Type enforcement / mechanism not clear
...ll of what we define as base_ro_file_type types.
>
> sesearch -A -s httpd_t -t system_conf_t -p read
> allow domain base_ro_file_type:dir { getattr ioctl lock open read search };
> allow domain base_ro_file_type:file { getattr ioctl lock open read };
> allow domain base_ro_file_type:lnk_file { getattr read };
> allow httpd_t base_ro_file_type:file { execute execute_no_trans getattr ioctl lock map open read };
>
>
> The base_ro_file_types are files executables that we consider part of the OS. So reading them should not reveal secrets.
Thanks for the pointer. Puuh, th...
2006 Oct 10
2
Moving Mysql data directory denied by selinux?
...ysql to /home/mysql and symlink it.
SELinux complains with
Oct 10 21:21:59 intspare kernel: audit(1160479319.080:2): avc: denied
{ read } for pid=15784 comm="mysqld" name="mysql" dev=dm-0 ino=1230340
scontext=root:system_r:mysqld_t tcontext=root:object_r:var_lib_t
tclass=lnk_file
Ok, I guess it doesnt like following symlinks so instead I edited
/etc/my.cnf to
[mysqld]
datadir=/home/mysql
socket=/home/mysql/mysql.sock
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
[my...
2012 Nov 22
0
Still cannot manage folders through Samba4 with SELinux samba_export_all_rw enabled
...type : file { ioctl read write create
getattr setattr lock append unlink link rename open } ; [
samba_export_all_rw ]
DT allow smbd_t non_security_file_type : dir { ioctl read write getattr
lock add_name remove_name search open } ; [ samba_export_all_rw ]
DT allow smbd_t non_security_file_type : lnk_file { ioctl read write
create getattr setattr lock append unlink link rename } ; [
samba_export_all_rw ]
DT allow nmbd_t noxattrfs : file { ioctl read getattr lock open } ; [
samba_export_all_rw ]
DT allow nmbd_t noxattrfs : dir { getattr search open } ; [
samba_export_all_rw ]
DT allow nmbd_t non_...
2007 Jul 19
1
semodule - global requirements not met
...vis' to generate the module
- amavis.te looks like:
module amavis 1.0;
require {
class dir { add_name getattr read remove_name search write };
class file { create execute execute_no_trans getattr lock read
rename unlink write };
class filesystem getattr;
class lnk_file read;
type amavis_t;
type fs_t;
type mqueue_spool_t;
type sbin_t;
type sendmail_exec_t;
type var_lib_t;
role system_r;
};
allow amavis_t fs_t:filesystem getattr;
allow amavis_t mqueue_spool_t:dir { add_name getattr read remove_name
search wri...
2006 Aug 25
1
SELinux targeted - named, portmap and syslogd errors
...95
scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t
tclass=file
audit(1156518728.032:13): avc: denied { read } for pid=2411 comm="named"
name="libgssapi_krb5.so.2" dev=dm-0 ino=459694
scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t
tclass=lnk_file
======================================================================
The SELinux policies in use are the default from Centos packages (I haven't
changed anything). Surely this bind, portmap and syslogd packages came from
Centos base or update.
bind-chroot is not installed. Bind seems to be...
2018 Sep 09
3
Type enforcement / mechanism not clear
Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>:
>
> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
>> Any SElinux expert here - briefly:
>>
>> # getenforce
>> Enforcing
>>
>> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
>> <no output>
>>
>> # sesearch -ACR -s httpd_t -c file
2014 Dec 04
3
Postfix avc (SELinux)
I am seeing these avc messages on a newly commissioned and up-to-date CentOs-6
virtual guest:
----
time->Thu Dec 4 12:14:58 2014
type=SYSCALL msg=audit(1417713298.610:60522): arch=c000003e syscall=2
success=no exit=-13 a0=7fd70e6de1e6 a1=0 a2=1b6 a3=0 items=0 ppid=2698
pid=4294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=2784 comm="trivial-rewrite"
2008 Mar 07
1
Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?
...#corenet_raw_sendrecv_all_nodes( rawsox_t );
>>
>> require {
>> type lib_t;
>> type ld_so_t;
>> type ld_so_cache_t;
>> type usr_t;
>> type devpts_t;
>> type rawsox_t;
>> type etc_t;
>> class lnk_file read;
>> class dir search;
>> class file { read getattr execute };
>> class chr_file { read write getattr };
>> class rawip_socket create;
>> class capability net_raw;
>> }
>>
>> #============= rawsox_t ==============
>&...
2016 Jul 06
2
How to have more than on SELinux context on a directory
...tpd_t samba_share_t : file { ioctl read write create getattr
setattr lock append unlink link rename open } ;
allow ftpd_t samba_share_t : dir { ioctl read write create getattr
setattr lock unlink link rename add_name remove_name reparent search
rmdir open } ;
allow ftpd_t samba_share_t : lnk_file { ioctl read write create
getattr setattr lock append unlink link rename } ;
allow ftpd_t samba_share_t : sock_file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow ftpd_t samba_share_t : fifo_file { ioctl read write create
getattr setattr lock appe...
2009 Oct 04
2
deliver stopped working
...postfix_pipe_t;
type crond_t;
class process ptrace;
class unix_stream_socket connectto;
class tcp_socket { name_bind name_connect };
class file { rename execute read lock create ioctl execute_no_trans write getattr link
unlink };
class sock_file { setattr create write getattr unlink };
class lnk_file { read getattr };
class dir { search setattr read create write getattr remove_name add_name };
}
#============= clamd_t ==============
allow clamd_t proc_t:file { read getattr };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
allow clamd_t var_t:dir read;
allow...
2018 Jun 29
9
v2.3.2 released
https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig
v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as well as a bunch of other fixes (mainly for v2.3-only bugs). Binary packages are already in https://repo.dovecot.org/
* old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while
opening
2018 Jun 29
9
v2.3.2 released
https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig
v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as well as a bunch of other fixes (mainly for v2.3-only bugs). Binary packages are already in https://repo.dovecot.org/
* old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while
opening
2014 Dec 04
0
Postfix avc (SELinux)
...udit.log | audit2allow
#============= amavis_t ==============
allow amavis_t shell_exec_t:file execute;
allow amavis_t sysfs_t:dir search;
#============= clamscan_t ==============
allow clamscan_t amavis_spool_t:dir read;
#============= logwatch_mail_t ==============
allow logwatch_mail_t usr_t:lnk_file read;
#============= postfix_master_t ==============
allow postfix_master_t tmp_t:dir read;
#============= postfix_postdrop_t ==============
allow postfix_postdrop_t tmp_t:dir read;
#============= postfix_showq_t ==============
allow postfix_showq_t tmp_t:dir read;
#============= postfix_smtp_t...
2014 Dec 05
0
Postfix avc (SELinux)
...pplied fixes for software provided
through the official CentOS-6 repositories. Does this change apply only to 7
or has it been backported? Both amavisd-new and clamav are provided via the
epel repository.
>> #============= logwatch_mail_t ==============
>> allow logwatch_mail_t usr_t:lnk_file read;
>>
>> #============= postfix_master_t ==============
>> allow postfix_master_t tmp_t:dir read;
>>
>> #============= postfix_postdrop_t ==============
>> allow postfix_postdrop_t tmp_t:dir read;
>>
>> #============= postfix_showq_t ==============...