search for: lnk_file

...logger: [ OK ] and in dmesg centos report me that: audit(1163775960.711:5): avc: denied { read } for pid=4325 comm="syslogd" name="libc.so.6" dev=dm-0 ino=4562290 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=lnk_file audit(1163775960.711:6): avc: denied { read } for pid=4325 comm="syslogd" name="libc.so.6" dev=dm-0 ino=4562290 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=lnk_file audit(1163775960.711:7): avc: denied { read } for pid=4325 comm="syslogd&...

...ttpd_disable_trans on and httpd starts - but there's zero enforcing now as I understand it. Further digging & I get to: # cat /var/log/audit/audit.log | audit2allow -m local module local 1.0; require { type portmap_t; type httpd_t; type file_t; class lnk_file read; class file { getattr read execute }; } #============= httpd_t ============== allow httpd_t file_t:file { read getattr execute }; allow httpd_t file_t:lnk_file read; #============= portmap_t ============== allow portmap_t file_t:file { read getattr execute }; allow portmap_t file_t:...

Hello, I am trying to create a custom policy, but with no succes : $ cat <<EOF> foo.te module local 1.0; require { type httpd_sys_script_exec_t; type httpd_sys_script_t; class lnk_file read; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read; EOF $ checkmodule -M -m -o foo.mod foo.te checkmodule: loading policy configuration from foo.te checkmodule: policy configuration loaded checkmodule: writing binary represen...

...cy # these two didn't help #corenet_raw_sendrecv_all_if( rawsox_t ); #corenet_raw_sendrecv_all_nodes( rawsox_t ); require { type lib_t; type ld_so_t; type ld_so_cache_t; type usr_t; type devpts_t; type rawsox_t; type etc_t; class lnk_file read; class dir search; class file { read getattr execute }; class chr_file { read write getattr }; class rawip_socket create; class capability net_raw; } #============= rawsox_t ============== allow rawsox_t devpts_t:chr_file { read write getattr }; allow rawsox_t...

...type amavis_var_lib_t; type sysctl_kernel_t; type var_t; type postfix_smtpd_t; type initrc_t; type proc_t; class unix_stream_socket connectto; class file { read getattr }; class sock_file write; class lnk_file { read create unlink getattr }; class udp_socket name_bind; class dir { read search }; } #============= amavis_t ============== allow amavis_t amavis_var_lib_t:lnk_file { read create unlink getattr }; allow amavis_t traceroute_port_t:udp_socket name_bind; #============= clamd_...

...> #============= clamscan_t ============== > allow clamscan_t amavis_spool_t:dir read; In the latest rhel6 policies amavas_t and clamscan_t have been merged into antivirus_t? Is you selinux-policy up 2 date? > #============= logwatch_mail_t ============== > allow logwatch_mail_t usr_t:lnk_file read; > > #============= postfix_master_t ============== > allow postfix_master_t tmp_t:dir read; > > #============= postfix_postdrop_t ============== > allow postfix_postdrop_t tmp_t:dir read; > > #============= postfix_showq_t ============== > allow postfix_showq_t tmp_...

...ll of what we define as base_ro_file_type types. > > sesearch -A -s httpd_t -t system_conf_t -p read > allow domain base_ro_file_type:dir { getattr ioctl lock open read search }; > allow domain base_ro_file_type:file { getattr ioctl lock open read }; > allow domain base_ro_file_type:lnk_file { getattr read }; > allow httpd_t base_ro_file_type:file { execute execute_no_trans getattr ioctl lock map open read }; > > > The base_ro_file_types are files executables that we consider part of the OS. So reading them should not reveal secrets. Thanks for the pointer. Puuh, th...

...ysql to /home/mysql and symlink it. SELinux complains with Oct 10 21:21:59 intspare kernel: audit(1160479319.080:2): avc: denied { read } for pid=15784 comm="mysqld" name="mysql" dev=dm-0 ino=1230340 scontext=root:system_r:mysqld_t tcontext=root:object_r:var_lib_t tclass=lnk_file Ok, I guess it doesnt like following symlinks so instead I edited /etc/my.cnf to [mysqld] datadir=/home/mysql socket=/home/mysql/mysql.sock # Default to using old password format for compatibility with mysql 3.x # clients (those using the mysqlclient10 compatibility package). old_passwords=1 [my...

...type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ samba_export_all_rw ] DT allow smbd_t non_security_file_type : dir { ioctl read write getattr lock add_name remove_name search open } ; [ samba_export_all_rw ] DT allow smbd_t non_security_file_type : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ samba_export_all_rw ] DT allow nmbd_t noxattrfs : file { ioctl read getattr lock open } ; [ samba_export_all_rw ] DT allow nmbd_t noxattrfs : dir { getattr search open } ; [ samba_export_all_rw ] DT allow nmbd_t non_...

...vis' to generate the module - amavis.te looks like: module amavis 1.0; require { class dir { add_name getattr read remove_name search write }; class file { create execute execute_no_trans getattr lock read rename unlink write }; class filesystem getattr; class lnk_file read; type amavis_t; type fs_t; type mqueue_spool_t; type sbin_t; type sendmail_exec_t; type var_lib_t; role system_r; }; allow amavis_t fs_t:filesystem getattr; allow amavis_t mqueue_spool_t:dir { add_name getattr read remove_name search wri...

...95 scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t tclass=file audit(1156518728.032:13): avc: denied { read } for pid=2411 comm="named" name="libgssapi_krb5.so.2" dev=dm-0 ino=459694 scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t tclass=lnk_file ====================================================================== The SELinux policies in use are the default from Centos packages (I haven't changed anything). Surely this bind, portmap and syslogd packages came from Centos base or update. bind-chroot is not installed. Bind seems to be...

Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: > > On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >> Any SElinux expert here - briefly: >> >> # getenforce >> Enforcing >> >> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >> <no output> >> >> # sesearch -ACR -s httpd_t -c file

I am seeing these avc messages on a newly commissioned and up-to-date CentOs-6 virtual guest: ---- time->Thu Dec 4 12:14:58 2014 type=SYSCALL msg=audit(1417713298.610:60522): arch=c000003e syscall=2 success=no exit=-13 a0=7fd70e6de1e6 a1=0 a2=1b6 a3=0 items=0 ppid=2698 pid=4294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2784 comm="trivial-rewrite"

...#corenet_raw_sendrecv_all_nodes( rawsox_t ); >> >> require { >> type lib_t; >> type ld_so_t; >> type ld_so_cache_t; >> type usr_t; >> type devpts_t; >> type rawsox_t; >> type etc_t; >> class lnk_file read; >> class dir search; >> class file { read getattr execute }; >> class chr_file { read write getattr }; >> class rawip_socket create; >> class capability net_raw; >> } >> >> #============= rawsox_t ============== >&...

...tpd_t samba_share_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; allow ftpd_t samba_share_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : fifo_file { ioctl read write create getattr setattr lock appe...

...postfix_pipe_t; type crond_t; class process ptrace; class unix_stream_socket connectto; class tcp_socket { name_bind name_connect }; class file { rename execute read lock create ioctl execute_no_trans write getattr link unlink }; class sock_file { setattr create write getattr unlink }; class lnk_file { read getattr }; class dir { search setattr read create write getattr remove_name add_name }; } #============= clamd_t ============== allow clamd_t proc_t:file { read getattr }; allow clamd_t sysctl_kernel_t:dir search; allow clamd_t sysctl_kernel_t:file read; allow clamd_t var_t:dir read; allow...

https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as well as a bunch of other fixes (mainly for v2.3-only bugs). Binary packages are already in https://repo.dovecot.org/ * old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening

https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as well as a bunch of other fixes (mainly for v2.3-only bugs). Binary packages are already in https://repo.dovecot.org/ * old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening

...udit.log | audit2allow #============= amavis_t ============== allow amavis_t shell_exec_t:file execute; allow amavis_t sysfs_t:dir search; #============= clamscan_t ============== allow clamscan_t amavis_spool_t:dir read; #============= logwatch_mail_t ============== allow logwatch_mail_t usr_t:lnk_file read; #============= postfix_master_t ============== allow postfix_master_t tmp_t:dir read; #============= postfix_postdrop_t ============== allow postfix_postdrop_t tmp_t:dir read; #============= postfix_showq_t ============== allow postfix_showq_t tmp_t:dir read; #============= postfix_smtp_t...

...pplied fixes for software provided through the official CentOS-6 repositories. Does this change apply only to 7 or has it been backported? Both amavisd-new and clamav are provided via the epel repository. >> #============= logwatch_mail_t ============== >> allow logwatch_mail_t usr_t:lnk_file read; >> >> #============= postfix_master_t ============== >> allow postfix_master_t tmp_t:dir read; >> >> #============= postfix_postdrop_t ============== >> allow postfix_postdrop_t tmp_t:dir read; >> >> #============= postfix_showq_t ==============...