search for: object_r

Hi, I've done the following: - Copy usr content with rsync to another partition: rsync -av --partial --progress /usr/ /mnt Then, unmounted, added to fstab a line for /usr, then deleted /usr/* (not the directory itself). But I've found that is bad labeled: ls -Z /usr unconfined_u:object_r:unlabeled_t:s0 bin unconfined_u:object_r:unlabeled_t:s0 local unconfined_u:object_r:unlabeled_t:s0 games unconfined_u:object_r:unlabeled_t:s0 sbin unconfined_u:object_r:unlabeled_t:s0 include unconfined_u:object_r:unlabeled_t:s0 share unconfined_u:object_r:unlabeled_t:s0 lib unconfined_u:object...

[root at ipa tftpboot]# semanage fcontext -l | grep tftp /tftpboot directory system_u:object_r:tftpdir_t:s0 /tftpboot/.* all files system_u:object_r:tftpdir_t:s0 /usr/sbin/atftpd regular file system_u:object_r:tftpd_exec_t:s0 /usr/sbin/in\.tftpd regular file system_u:object_r:tftpd_exec_t:s...

...hentifcation) and things and somewhat working. There is a bit of weirdness though. smbclient is only able to access *directories* and not any of the files. Why is that? What am I missing? Here is a log of a test run: [heller at c764guest: ~]$ ls -lZAn total 8424 -rw-------. 1 unconfined_u:object_r:home_root_t:s0 1000 1000 30 Jan 10 2016 .bash_history -rw-r--r--. 1 unconfined_u:object_r:home_root_t:s0 1000 1000 18 Nov 20 2015 .bash_logout -rw-r--r--. 1 unconfined_u:object_r:home_root_t:s0 1000 1000 193 Nov 20 2015 .bash_profile -rw-r--r--. 1 unconfined_u:object_r:home_root...

Hello, After updating to CentOS-5.7, I have a (small) problem : The context of /dev/megadev0 is now defined (in /etc/selinux/targeted/contexts/files/file_contexts) as system_u:object_r:removable_device_t:s0. This cause smartmontools to fail : avc: denied { read write } for pid=2847 comm="smartd" name="megadev0" dev=tmpfs ino=8284 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=chr_file Changing the...

...https://bugzilla.redhat.com/show_bug.cgi?id=429252 [1] https://www.centos.org/forums/viewtopic.php?t=21040 type=AVC msg=audit(1393980136.848:15): avc: denied { add_name } for pid=2646 comm="zebra" name="zebra.conf.CxNsyz" scontext=root:system_r:zebra_t:s0 tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir type=SYSCALL msg=audit(1393980136.848:15): arch=40000003 syscall=5 success=no exit=-13 a0=8512960 a1=c2 a2=180 a3=1e6a6 items=0 ppid=1 pid=2646 auid=0 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) ses=1 comm="zebra" exe="/usr/sb...

...f I use restorecon /var/spool/cron/aquota.user , it reports that is no default context for that file. [root at CentOS active]# touch /var/spool/cron/aquota.user [root at CentOS active]# restorecon /var/spool/cron/ [root at CentOS active]# ls -lZ /var/spool/cron/ -rw-r--r--. root root unconfined_u:object_r:user_cron_spool_t:s0 aquota.user [root at CentOS active]# restorecon /var/spool/cron/aquota.user restorecon:? Warning no default label for /var/spool/cron/aquota.user Semanage reports this [root at CentOS active]#? semanage fcontext -l|grep quota /a?quota\.(user|group)?????????????????????????...

...39;m trying to set the context on an nfs mounted /home. I believe exactly like in Redhat's Deployment Guide at http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/ch45s02s03.html On my system running CentOS 5.2: $ ls -alZ /home drwxr-xr-x root root system_u:object_r:home_root_t . drwxr-xr-x root root system_u:object_r:root_t .. $ mount -t nfs -o context=user_u:object_r:user_home_dir_t \ server001a:/vol/vol01/home /home $ ls -alZ /home drwxrwxr-x root root system_u:object_r:nfs_t . drwxr-xr-x root root system_...

I am installing a new Samba 4.2 Active Directory server on CentOS 7. I followed the Wiki instructions on how to create the server. I am using sernet-samba 4.2 binaries. Everything seems to be OK on the Linux side but I cannot get any windows client to successfully join the domain. Each attempt returns the following error message "RPC Server in not available". Below are the config file

Hi, since 4.12 Samba SELinux context for /var/run/samba is not correct anymore: ``` root at files:~ # ls -la -Z /var/run/samba/ total 12 drwxr-xr-x. 5 root root system_u:object_r:var_run_t:s0 160 Apr 3 20:42 . drwxr-xr-x. 30 root root system_u:object_r:var_run_t:s0 1000 Apr 3 18:39 .. drwxr-xr-x. 3 root root system_u:object_r:var_run_t:s0 60 Apr 3 18:39 ncalrpc drwxr-xr-x. 2 root root system_u:object_r:var_run_t:s0 60 Apr 3 18:39 nmbd -rw-r--r--. 1 root root...

...546AA6099F /var/log/audit/audit.log | audit2why type=AVC msg=audit(1398199187.646:29332): avc: denied { getattr } for pid=23387 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1398199187.646:29333): avc: denied { read write } for pid=23387 comm="smtp" name="...

...uest (whole disks, not partitions; needed to use zfs (zfsonlinux) benefit features). Problem is that disks (files in /dev) which attached to KVM guest has SELinux context which inaccessible from context of smartd process. [root at srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu system_u:object_r:svi...

...re no lost+found or .journal there, so I guess those are really innocuous.) I dug in deeper and I found out that the source of the problem is most probably in this file: /etc/selinux/targeted/contexts/files/file_contexts.homedirs Among its contents are these lines: /usr/local/[^/]*/.+ user_u:object_r:user_home_t:s0 /usr/local/[^/]*/.*/plugins/nprhapengine\.so.* -- user_u:object_r:textrel_shlib_t:s0 /usr/local/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0 /usr/local/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t:s0 /usr/local/[^...

I generated a new host key for one of our systems using: ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key_4096 I then ran 'ls -Z on the keys' ll -Z *key* -rw-------. root root system_u:object_r:sshd_key_t:s0 ssh_host_dsa_key -rw-r--r--. root root system_u:object_r:sshd_key_t:s0 ssh_host_dsa_key.pub -rw-------. root root system_u:object_r:sshd_key_t:s0 ssh_host_key -rw-r--r--. root root system_u:object_r:sshd_key_t:s0 ssh_host_key.pub -rw-------. root root system_u:object_r:sshd_key_t:...

...e: > On 03/04/2020 20:34, Tobias Kirchhofer via samba wrote: >> Hi, since 4.12 Samba SELinux context for /var/run/samba is not >> correct anymore: >> >> ``` >> root at files:~ # ls -la -Z /var/run/samba/ >> total 12 >> drwxr-xr-x.? 5 root root system_u:object_r:var_run_t:s0? 160 Apr 3 >> 20:42 . >> drwxr-xr-x. 30 root root system_u:object_r:var_run_t:s0 1000 Apr 3 >> 18:39 .. >> drwxr-xr-x.? 3 root root system_u:object_r:var_run_t:s0?? 60 Apr 3 >> 18:39 ncalrpc >> drwxr-xr-x.? 2 root root system_u:object_r:var_run_t:...

...e the Equivalence. As a first thing, I tried: semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql then restorecon -R /var/lib/mysql # semanage fcontext -lC SELinux fcontext type Context /home/users(/.*)? all files system_u:object_r:user_home_dir_t:s0 /var/lib/mysql all files system_u:object_r:mysqld_db_t:s0 /var/lib/mysql(/.*)? all files system_u:object_r:mysqld_db_t:s0 SELinux Local fcontext Equivalence ./mysql = ./mysql.old /var/lib/mysql = /var/lib/mysql.o...

...me if I run "logwatch" from a root console. I set SELinux to permissive and that allows virsh to run. Therefore I know it is something to do with SELinux. The logwatch script is: #Lots of comments /usr/bin/virsh list --all I see the selinux security context of virsh is system_u:object_r:virsh_exec_t:s0 while logwatch.pl runs as system_u:object_r:logwatch_exec_t:s0 As I understand it, selinux does not permit having multiple type settings for a file. Any file can have exactly one type setting. I ran this command hoping it would add another type to the virsh program. sema...

...v like... chcon -t clamd_t clamav -R which temporarily solves the problem but it would be better if it were policy and not file contexts. So I search and see for some reason, /var/clamav is ignored... # grep clam /etc/selinux/targeted/contexts/files/file_contexts /etc/clamav(/.*)? system_u:object_r:clamd_etc_t:s0 /var/run/clamd.* system_u:object_r:clamd_var_run_t:s0 /var/run/clamav.* system_u:object_r:clamd_var_run_t:s0 /var/lib/clamav(/.*)? system_u:object_r:clamd_var_lib_t:s0 /var/log/clamav(/.*)? system_u:object_r:clamd_var_log_t:s0 /var/run/amavis(d)?/clamd\.pid -- syste...

Hi all, I have some AVC in the logs and wonder how to resolve this: Under EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs. # tail -1 /etc/fstab tmpfs /var/lib/php/session tmpfs defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0" 0 0 # df -a |grep php tmpfs 16384 0 16384 0% /var/lib/php/session # ls -laZ /var/lib/php/session insgesamt 0 drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24. Jul 15:36 . drwxr-xr-x. 6 root root system_u:object_r:httpd_v...

Hello, can any tell me the correct selinux Settings for the Maildir Setting ? in the Moment I have this setting Jan 8 15:04:52 2017 from 192.168.100.100 [root at mx03 ~]# ls -Z /srv/vmail drwx------. vmail vmail unconfined_u:object_r:mail_home_rw_t:s0 example.com drwx------. vmail vmail unconfined_u:object_r:mail_home_rw_t:s0 example.at drwx------. vmail vmail unconfined_u:object_r:mail_home_rw_t:s0 eu-example.at drwx------. vmail vmail unconfined_u:object_r:mail_home_rw_t:s0 example1.com -rw-rw----. vmail vmail unconfined_u:ob...

...want to add another directory for cache, in this system we have a home partition with huge space, i create a squid dir and add the path with semanage: semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?' i check the files and are in the good context: drwxr-xr-x squid squid user_u:object_r:squid_cache_t . drwxr-xr-x squid squid system_u:object_r:home_root_t .. drwxr-x--- squid squid user_u:object_r:squid_cache_t 00 drwxr-x--- squid squid user_u:object_r:squid_cache_t 01 ... But when i want start it i get this: type=AVC msg=audit(1296442326.932:739661): avc: denied {...