Displaying 6 results from an estimated 6 matches for "relabelfrom".
2017 Apr 30
3
selinux problem policies
...w check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/
cil:244
(neverallow selinuxutil_typeattr_1 semanage_store_t (file (relabelto)))
<root>
allow at /etc/selinux/targeted/tmp/modules/100/selinuxutil/cil:675
(allow restorecond_t non_auth_file_type (file (getattr relabelfrom
relabelto)))
<root>
allow at /etc/selinux/targeted/tmp/modules/100/systemd/cil:1108
(allow systemd_tmpfiles_t non_auth_file_type (file (getattr relabelfrom
relabelto)))
neverallow check failed at /etc/selinux/targeted/tmp/modules/100/base/cil:
13121
(neverallow base_typeatt...
2017 May 01
2
selinux problem policies
...w check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/
cil:244
(neverallow selinuxutil_typeattr_1 semanage_store_t (file (relabelto)))
<root>
allow at /etc/selinux/targeted/tmp/modules/100/selinuxutil/cil:675
(allow restorecond_t non_auth_file_type (file (getattr relabelfrom
relabelto)))
<root>
allow at /etc/selinux/targeted/tmp/modules/100/systemd/cil:1108
(allow systemd_tmpfiles_t non_auth_file_type (file (getattr relabelfrom
relabelto)))
But the Rule are not added/set ?
> > I have more instances from typo3
> > I found this constru...
2012 Jun 15
1
Puppet + Passenger SELinux issues
...t;
type passenger_t;
type port_t;
type proc_net_t;
class process { getattr siginh setexec sigchld noatsecure transition
rlimitinh };
class unix_stream_socket { getattr accept read write };
class capability { sys_resource sys_ptrace };
class file { entrypoint open create relabelfrom relabelto getattr
setattr read write append ioctl lock rename link unlink };
class lnk_file { getattr read };
class udp_socket name_bind;
class dir { getattr setattr add_name remove_name search open read write
ioctl lock };
}
#============= httpd_t ==============
allow httpd_t port_t:u...
2020 Jul 16
1
Re: SELinux labels change in libvirt
...;s label will match the
virt-launcher's.
Is this were libvirt does the relabeling
https://github.com/libvirt/libvirt/blob/e71e13488dc1aa65456e54a4b41bc925821b4263/src/security/security_selinux.c#L1256
?
btw the error we get is (from audit)
type=AVC msg=audit(1586956552.265:513): avc: denied { relabelfrom }
for pid=27423 comm="libvirtd"
scontext=system_u:system_r:container_t:s0:c143,c582
tcontext=system_u:system_r:spc_t:s0 tclass=tun_socket permissive=0
> Regards,
> Daniel
> --
> |: https://berrange.com -o-
> https://www.flickr.com/photos/dberrange :|
> |: https://...
2020 Apr 13
0
SELinux denies login
..."dm-0"
ino=67978294 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
The policy allows sssd_t to unlink user_tmp_type:
sesearch -s sssd_t --allow:
allow sssd_t user_tmp_type : file { ioctl read write create getattr
setattr lock relabelfrom relabelto append unlink link rename open } ;
Is the problem that the credential cache files in /tmp are being created
with the wrong label, or is there some other problem I'm not seeing?
2020 Jul 14
2
Re: SELinux labels change in libvirt
On Tue, Jul 14, 2020 at 3:33 PM Daniel P. Berrangé <berrange@redhat.com>
wrote:
> On Tue, Jul 14, 2020 at 03:21:17PM +0300, Ram Lavi wrote:
> > Hello all,
> >
> > tl;dr, can you point me to the point in the libvirt repo where it's
> trying
> > to change a tap-device's SELinux label?
> >
> > I am trying to create a tap device with libvirt on