search for: named_t

...you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep named /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:named_t:s0 Target Context system_u:object_r:sysctl_vm_t:s0 Target Objects [ dir ] Source named Source Path /usr/sbin/named Port <Unknown> Host inet08.hamilton.harte-lyne.ca Source...

...stalled, so 'setroubleshoot' isn't an option (unless there's a text equivalent). Thanks in advance for any opinions/suggestions/enlightenments :) ~Ray ============================================= Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "getattr" access to /dev/random (tmpfs_t). For complete SELinux messages. run sealert -l 1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a ============================================= Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "read" a...

...ing configuration from '/etc/named.conf' Aug 15 14:09:46 devserver21 named: named reload succeeded Aug 15 14:09:46 devserver21 kernel: audit(1250359786.568:31): avc: denied { write } for pid=5103 comm="named" name="named" dev=dm-0 ino=28148843 scontext=user_u:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir Aug 15 14:09:46 devserver21 kernel: audit(1250359786.568:32): avc: denied { add_name } for pid=5103 comm="named" name="tmp-XXXXtGN8y7" scontext=user_u:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir Aug 15...

This is my new Centos7 DNS server. In logwatch I am seeing: **Unmatched Entries** dispatch 0xb4378008: open_socket(0.0.0.0#5546) -> permission denied: continuing: 1 Time(s) dispatch 0xb4463008: open_socket(::#1935) -> permission denied: continuing: 1 Time(s) dispatch 0xb4464440: open_socket(::#8554) -> permission denied: continuing: 1 Time(s) dispatch 0xb4464440:

...text equivalent). > > > > Thanks in advance for any opinions/suggestions/enlightenments :) > > > > ~Ray > > > > ============================================= > > Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing > > /usr/sbin/named (named_t) "getattr" access to /dev/random > > (tmpfs_t). For complete SELinux messages. run sealert -l > > 1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a > > ============================================= > > Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing >...

...name="libnsl-2.3.4.so" dev=dm-0 ino=48836 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=file audit(1156518728.009:10): avc: denied { read } for pid=2411 comm="named" name="liblwres.so.1.1.2" dev=dm-0 ino=462795 scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t tclass=file audit(1156518728.032:13): avc: denied { read } for pid=2411 comm="named" name="libgssapi_krb5.so.2" dev=dm-0 ino=459694 scontext=user_u:system_r:named_t tcontext=system_u:object_r:file_t tclass=lnk_file ==========================...

...s option in Bind? It looks like that bug was assigned to the selinux-policy component, where it was CLOSED NOTABUG, and then mistakenly marked CLOSED ERRATA. The solution is probably to specify the allowed ports. However, I must be reading something wrong, because on my system, it looks like named_t is allowed to use those ports. # sesearch -A -s named_t | grep port | grep bind ...indicates that named_t is allowed to bind to both unreserved ports and ephemeral ports. # semanage port -l | grep unreserved_port_t unreserved_port_t tcp 61001-65535, 1024-32767 unreserved...

...ooks like that bug was assigned to the selinux-policy component, > where it was CLOSED NOTABUG, and then mistakenly marked CLOSED ERRATA. > > The solution is probably to specify the allowed ports. However, I > must be reading something wrong, because on my system, it looks like > named_t is allowed to use those ports. > > # sesearch -A -s named_t | grep port | grep bind > > ...indicates that named_t is allowed to bind to both unreserved > ports and ephemeral ports. > > # semanage port -l | grep unreserved_port_t > unreserved_port_t tcp...

...il_t ============== #!!!! The source type 'mailman_mail_t' can write to a 'dir' of the following types: # mailman_log_t, mailman_data_t, mailman_lock_t, mailman_archive_t, var_lock_t, tmp_t, mailman_mail_tmp_t, var_log_t, root_t allow mailman_mail_t lib_t:dir write; #============= named_t ============== allow named_t sysctl_vm_t:dir search; #============= postfix_postdrop_t ============== allow postfix_postdrop_t fail2ban_tmp_t:file { read write }; #============= syslogd_t ============== allow syslogd_t sysctl_vm_t:dir search; Is there an epel/selinux forum to report these for re...

...to produce a file for generating a policy module # ausearch -m avc -ts dd/mm/yy | audit2allow -m samba4local > samba4local.te I edited the samba4local.te file to remove the unwanted commentary. The result looked like this: ---***--- module samba4local 1.0; require { type initrc_t; type named_t; type named_var_run_t; type ntpd_t; type ntpd_var_run_t; type smbd_t; type samba_unconfined_script_exec_t; type urandom_device_t; type var_lock_t; class unix_stream_socket connectto; class unix_dgram_socket sendto; class sock_file write; class chr_file wr...