Displaying 5 results from an estimated 5 matches for "net_raw".
2008 Mar 03
1
Unable open raw socket in CentOS 5 - SE Linux and kernel capability interaction?
...##############################
# Declarations
type rawsox_t;
type rawsox_exec_t;
domain_type(rawsox_t)
domain_entry_file(rawsox_t, rawsox_exec_t)
domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t)
########################################
# Rawsox local policy
# these two didn't help
#corenet_raw_sendrecv_all_if( rawsox_t );
#corenet_raw_sendrecv_all_nodes( rawsox_t );
require {
type lib_t;
type ld_so_t;
type ld_so_cache_t;
type usr_t;
type devpts_t;
type rawsox_t;
type etc_t;
class lnk_file read;
class dir search;...
2014 Oct 25
1
Centos 6.5 - Fping - SE Linux - Missing type enforcement (TE) allow rule
...e file, I
have a warning saying that the rules already exists! Which does make
sense since I had to allow those particular function for the Mysql
connection to function properly.
---------------
.te file :
"module fping-httpd 1.0;
require {
type httpd_t;
class capability net_raw;
class rawip_socket create;
}
#============= httpd_t ==============
#!!!! This avc is allowed in the current policy
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket create;
"
---------------
Is the "Missing type enforcement" related to all of this? I...
2008 Mar 07
1
Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?
...t;
>> domain_type(rawsox_t)
>> domain_entry_file(rawsox_t, rawsox_exec_t)
>> domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t)
>>
>> ########################################
>> # Rawsox local policy
>>
>> # these two didn't help
>> #corenet_raw_sendrecv_all_if( rawsox_t );
>> #corenet_raw_sendrecv_all_nodes( rawsox_t );
>>
>> require {
>> type lib_t;
>> type ld_so_t;
>> type ld_so_cache_t;
>> type usr_t;
>> type devpts_t;
>> type rawsox_t;
>>...
2015 Jan 19
2
CentOS-6.6 Fail2Ban and Postfix Selinux AVCs
I am seeing these in the log of one of our off-site NX hosts running
CentOS-6.6.
type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for
pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket
Was caused by:
Missing type enforcement (TE) allow rule.
You can use
2015 Jan 19
0
CentOS-6.6 Fail2Ban and Postfix Selinux AVCs
...We eventually ended up with a custom policy that looks like this:
#============= fail2ban_t ==============
allow fail2ban_t ldconfig_exec_t:file { read execute open getattr
execute_no_trans };
allow fail2ban_t insmod_exec_t:file { read execute open };
allow fail2ban_t self:capability { net_admin net_raw };
allow fail2ban_t self:rawip_socket { getopt create setopt };
allow fail2ban_t sysctl_kernel_t:dir search;
allow fail2ban_t sysctl_modprobe_t:file read;
allow system_mail_t inotifyfs_t:dir read;
I am not sure whether this issue is the result of something that we
have done or left undone. We h...