search for: mac_admin

Hello, This is somehow off-topic, since the problem appears on a modified CentOS-6.2 (turned into a xen-4.1 host) : I get SELinux errors, and I'm not able to understand them. From audit2why : type=AVC msg=audit(1343724164.898:298772): avc: denied { mac_admin } for pid=12399 comm="restore" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 ... and from audit2allow : #============= unconfined_t ============== allow unconfined_t self:ca...

...hip. This guest starts without activating any Ethernet i/f if that has any bearing on the matter. # sealert -a /var/log/audit/audit.log | more found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------- Summary: SELinux is preventing /usr/bin/chcon "mac_admin" access . Detailed Description: SELinux denied access requested by chcon. It is not expected that this access is required by chcon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require addit...

...e kernel doesn't (AFAIK) know about the system_u:object_r:shadow_t:s0 label. > We also would like to prevent users from making mistakes like > assigning httpd_t to a file when it is a process type. > > SELinux is going to check before you put the label down unless you have the > mac_admin capability. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 100 libraries supported. http://fedoraproject.org/wiki/MinGW

Hi, I wonder if makes sense to install SAMBA4 AD DC on a LXC container. What do you think? The AD DC has around 50 users. Thanks in advance -- -- Sergio Belkin LPIC-2 Certified - http://www.lpi.org

...ol the capabilities assigned to the container processes. With lxc-tools, I can specify a configuration option, lxc.cap.drop, which causes the container processes to drop the specified privileges. My libvirt containers seem to run with cap_sys_module,cap_sys_boot,cap_sys_time,cap_audit_control,cap_mac_admin which is rather more permissive than I'd like. In particular, cap_sys_boot allows a container to reboot the host machine. I am running libvirt-0.9.2 from squeeze-backports on debian squeeze. Cheers, -C-

After reading the instructions at https://wiki.samba.org/index.php/Time_Synchronisation, I still have questions about how samba interacts with nptd. The issue is that LXD doesn't want containers setting the time and so won't start ntpd at container startup even though it's enabled in systemd. The host does sync it's time with a national time server, so we can assume that the