search for: mypol

...you believe that iptables-multi-1.4.7 should be allowed search access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep iptables /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp I presume that the following is somehow related to that host sending out mail, possible by fail2ban, since we run postfix on that host and the sendmail SMTP package is not installed. type=AVC msg=audit(1421683972.826:4376): avc: denied { read } for pid=22796 comm=&q...

...onitor-get-edid-using-vbe should be allowed mmap_zero access on the memprotect by d efault. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep monitor-get-edi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ------ and then this final message Aug 20 14:02:42 opennms-h-03 dbus-daemon: 'list' object has no attribute 'split' Do either of those look fatal? And where else should I look for the underlying problem? -- Les Mikesell lesmikesell at gmail.com

...************ If you believe that smtp should be allowed lock access on the 9934A60C7D file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep smtp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 90...

...If you believe that pickup should be allowed module_request access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pickup /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:postfix_pickup_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source pickup Source Path /usr/li...

...i-1.4.7 should be allowed search > access on the directory by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # grep iptables /var/log/audit/audit.log | audit2allow -M mypol > # semodule -i mypol.pp > > It appears that the starting date of these errors corresponds to the day on which we first began to jail SSH attempts on that host. We eventually ended up with a custom policy that looks like this: #============= fail2ban_t ============== allow fail2ban_t ld...

...NetworkManager should be allowed write access on the sys directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012 Which policy I implemented, but why is that incorrect in the first place? 3. Finally, the noisiest of all, NetworkManager[7723]: <warn> error requesting auth for org.freedesktop.NetworkManager.settings.modify.hostname: (0) Authorization check failed: GDBus.Er...

...ystemd-readahe should be allowed add_name access on the .readahead.new directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-readahe /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:readahead_t:s0 Target Context system_u:object_r:mnt_t:s0 Target Objects .readahead.new [ dir ] Source systemd-readahe Source Path s...

...********* If you believe that mcelog should be allowed write access on the run directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mcelog /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp This seems to my mind a bug either with the distributed SELinux policies or the software itself or somehow something has become very, very misconfigured. However, an semodule -l does not reveal any local policies installed on this server, so whatever is wrong it does not see...

...*************** If you believe that ps should be allowed search access on the 1169 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ps /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp This particular server is running several Ruby-on-Rails (RoR) applications using Passenger (aka mod-rails). Passenger has a 'lot' of SELinux issues so this host is more or less a quarantine site for Rails apps. I am suspicious that Passenger is the cause because I...

...believe that wine-preloader should be allowed mmap_zero access on the memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep wine-preloader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Objects [ memprotect ] Source wine-preloader Sour...

...************* If you believe that perl should be allowed read access on the online file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep amavisd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp [root at inet18 ~ (master #)]# grep amavisd /var/log/audit/audit.log | audit2allow #============= amavis_t ============== allow amavis_t shell_exec_t:file { read open }; allow amavis_t sysfs_t:file read; -- *** E-Mail is NOT a SECURE channel *** Jame...

...************* If you believe that named should be allowed search access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep named /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:named_t:s0 Target Context system_u:object_r:sysctl_vm_t:s0 Target Objects [ dir ] Source named Source Path /usr/sbin/named Por...

...s on the > > .bash_logout file by default. > > Then you should report this as a bug. > > You can generate a local policy module to allow this access. > > Do > > allow this access for now by executing: > > # grep mkhomedir /var/log/audit/audit.log | audit2allow -M mypol > > # semodule -i mypol.pp > > > > > > Additional Information: > > Source Context > > system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c102 > > 3 > > Target Context system_u:object_r:nfs_t:s0 > > Target...

...f you believe that mkhomedir should be allowed setattr access on the .bash_logout file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mkhomedir /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c102 3 Target Context system_u:object_r:nfs_t:s0 Target Objects .bash_logout [ file ] Source mkhomedir Sou...

...****** If you believe that smtp should be allowed read write access on the 546AA6099F file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep smtp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp grep 546AA6099F /var/log/audit/audit.log | audit2why type=AVC msg=audit(1398199187.646:29332): avc: denied { getattr } for pid=23387 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 ino=395679 scontext=unconfined_u:system_r:postfix_sm...