search for: name_connect

I reread my sql.conf.ext files and realized they were actually connecting to localhost. So I did some googling, and found how to connect to the socket: connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=Postfix_Database_Password And all fixed. No more failures. Plus probably securer. On 04/07/2017 10:57 AM, Robert Moskowitz wrote: > The strange thing is that

...re (using postgresql, obviously) so that dovecot runs properly with SELinux enabled, HTH, Laurent. module mydovecot 1.0; require { type dovecot_auth_t; type postgresql_port_t; type dovecot_t; type var_t; type postfix_virtual_tmp_t; class tcp_socket name_connect; class file { rename read lock create write getattr link unlink open append }; class dir { read write create add_name remove_name }; } #============= dovecot_auth_t ============== #!!!! This avc is allowed in the current policy allow dovecot_auth_t postgresql_port_t:tcp_socket nam...

On 09/09/2018 07:19 AM, Daniel Walsh wrote: > sesearch -A -s httpd_t -t system_conf_t -p read > > If you feel that these files should not be part of the base_ro_files > then we should open that for discussion. I think the question was how users would know that the policy allowed access, as he was printing rules affecting httpd_t's file read access, and looking for

Hi all, I'm load balancing 4 mysql databases using HAProxy. The setup seems to be working pretty well. Except I keep seeing these messages turning up in syslog: Mar 12 22:11:31 db1 kernel: [6058125.959624] type=1400 audit(1457820691.824:3029129): avc: denied { name_connect } for pid=801 comm="haproxy" dest=7778 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:interwise_port_t:s0 tclass=tcp_socket It looks like SELinux is denying haproxy the ability to connect to the database. I haven't seen any real problems on the site that uses the...

...SELinux enabled, > > HTH, > Laurent. > > module mydovecot 1.0; > > require { > type dovecot_auth_t; > type postgresql_port_t; > type dovecot_t; > type var_t; > type postfix_virtual_tmp_t; > class tcp_socket name_connect; > class file { rename read lock create write getattr link unlink > open append }; > class dir { read write create add_name remove_name }; > } > > #============= dovecot_auth_t ============== > > #!!!! This avc is allowed in the current policy > allow do...

I keep seeing this in my audit.logs: type=AVC msg=audit(1496336600.230:6): avc: denied { name_connect } for pid=2411 comm="dbus-daemon" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket Was caused by: The boolean allow_ypbind was set incorrectly. Description: Allow system to run with NIS Allow access by...

I''ve configured puppet to use storedconfigs and puppetDB, If I start the puppet master using the init script puppetmaster I get a permission denied error when a node connects: Master: [root@puppet ~]# service puppetmaster start Starting puppetmaster: [ OK ] Node: [root@puppet-slave ~]# puppet agent --test err: Could not retrieve catalog from remote

...you're able. > It's rather caused by a SELinux policy which only allows icecast daemon to listen on TCP/8000 port: # sesearch --allow -s icecast_t -c tcp_socket [...] allow icecast_t port_type:tcp_socket name_bind; [ icecast_use_any_tcp_ports ]:True allow icecast_t port_type:tcp_socket name_connect; [ icecast_use_any_tcp_ports ]:True allow icecast_t port_type:tcp_socket { recv_msg send_msg }; [ icecast_use_any_tcp_ports ]:True allow icecast_t soundd_port_t:tcp_socket { name_bind name_connect recv_msg send_msg }; If it's the cause, a corresponding log entry about denying the deamon to bin...

On 10/16/23 10:37, Michael C Cambria wrote: > > Hi, > > I'm using icecast via Fedora 37 package and systemd service to start. > > I've added multiple <listen-socket> but get: > > "EROR connection/connection_setup_sockets Could not create listener > socket on port xxx" *snip* That error sounds like it could either be an issue relating to which

...d balancing 4 mysql databases using HAProxy. The setup seems to be >> working pretty well. Except I keep seeing these messages turning up in >> syslog: >> >> >> Mar 12 22:11:31 db1 kernel: [6058125.959624] type=1400 >> audit(1457820691.824:3029129): avc: denied { name_connect } for pid=801 >> comm="haproxy" dest=7778 scontext=system_u:system_r:haproxy_t:s0 >> tcontext=system_u:object_r:interwise_port_t:s0 tclass=tcp_socket >> >> It looks like SELinux is denying haproxy the ability to connect to the >> database. I haven't seen...

...is set >the audit2why should say that the AVC is allowed. Well, if I just run audit2why again, it always tells me the same thing. However, I have now discovered that if I unset allow_ypbind, and then reset it to 1, audit2why then says type=AVC msg=audit(1496768649.872:1338): avc: denied { name_connect } for pid=2413 comm="dbus-daemon" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under whic...

...requests unless SELinux is set to permissive (or turned off altogether). This problem does not evidence itself unless the account is chrooted. The output from audit2allow is this: sudo audit2allow -l -a #============= chroot_user_t ============== allow chroot_user_t cyphesis_port_t:tcp_socket name_connect; allow chroot_user_t user_home_t:chr_file open; #============= syslogd_t ============== #!!!! The source type 'syslogd_t' can write to a 'dir' of the following types: # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile,...

I have been getting the following on my new mailserver: Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry They go away when I setenforce 0. So I googled dovecot mysql selinux and the only worthwhile hit was:

...postfix_master_t; type rpcd_t; type dovecot_t; type klogd_t; type udev_t; type clamd_t; type mysqld_port_t; type initrc_var_run_t; type var_t; type postfix_qmgr_t; type postfix_pipe_t; type crond_t; class process ptrace; class unix_stream_socket connectto; class tcp_socket { name_bind name_connect }; class file { rename execute read lock create ioctl execute_no_trans write getattr link unlink }; class sock_file { setattr create write getattr unlink }; class lnk_file { read getattr }; class dir { search setattr read create write getattr remove_name add_name }; } #============= clamd_t ==...

...l, > > I'm load balancing 4 mysql databases using HAProxy. The setup seems to be > working pretty well. Except I keep seeing these messages turning up in > syslog: > > > Mar 12 22:11:31 db1 kernel: [6058125.959624] type=1400 > audit(1457820691.824:3029129): avc: denied { name_connect } for pid=801 > comm="haproxy" dest=7778 scontext=system_u:system_r:haproxy_t:s0 > tcontext=system_u:object_r:interwise_port_t:s0 tclass=tcp_socket > > It looks like SELinux is denying haproxy the ability to connect to the > database. I haven't seen any real problems on...

On 06/06/2017 09:17 AM, Vanhorn, Mike wrote: > I keep seeing this in my audit.logs: > > type=AVC msg=audit(1496336600.230:6): avc: denied { name_connect } for pid=2411 comm="dbus-daemon" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket > > Was caused by: > The boolean allow_ypbind was set incorrectly. > Description: > Allow system to run wi...

It says what it is my original post; that?s the output from audit2allow ?w (which is audit2why): Was caused by: The boolean allow_ypbind was set incorrectly. Description: Allow system to run with NIS Allow access by executing: # setsebool -P allow_ypbind 1 --- Mike VanHorn Senior Computer Systems Administrator College of Engineering and Computer Science Wright State University 265 Russ

...the audit2why should say that the AVC is allowed. > Well, if I just run audit2why again, it always tells me the same thing. However, I have now discovered that if I unset allow_ypbind, and then reset it to 1, audit2why then says > > type=AVC msg=audit(1496768649.872:1338): avc: denied { name_connect } for pid=2413 comm="dbus-daemon" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket > > Was caused by: > Unknown - would be allowed by active policy > Possible mismatch between this policy and...

Hi, how do I allow exim access to a socket in order to be able to do local deliveries to cyrus? type=AVC msg=audit(1521179280.845:1920270): avc: denied { name_connect } for pid=319 comm="exim" dest=24 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket Yet again I could not find any documentation explaining how to do basic things like this :( Selinux is more like a curse than anything else :( Why is...

Using audit2allow, I was able to create a policy module for selinux: audit2allow -i /var/log/audit/audit.log -M mysqld (creates mysqld.pp and mysqld.te) I want to distribute this to all my puppet clients. I can easily put this file in /etc/selinux/targeted/modules/active/modules But even after reboot, although I can see the module listed: semodule -l ... it doesn''t seem to actually