search for: s0

...done the following: - Copy usr content with rsync to another partition: rsync -av --partial --progress /usr/ /mnt Then, unmounted, added to fstab a line for /usr, then deleted /usr/* (not the directory itself). But I've found that is bad labeled: ls -Z /usr unconfined_u:object_r:unlabeled_t:s0 bin unconfined_u:object_r:unlabeled_t:s0 local unconfined_u:object_r:unlabeled_t:s0 games unconfined_u:object_r:unlabeled_t:s0 sbin unconfined_u:object_r:unlabeled_t:s0 include unconfined_u:object_r:unlabeled_t:s0 share unconfined_u:object_r:unlabeled_t:s0 lib unconfined_u:object_r:unlabeled_t:...

...r/administrator must ensure the directory has be given this requisite label. Likewise physical block devices must be labelled system_u:object_r:virt_image_t.". So did I: [root at vpl2 ~]# ls -dlZ /home/aik/virtimg /var/lib/libvirt/images drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /home/aik/virtimg drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images [root at vpl2 ~]# ls -lZ /home/aik/virtimg /var/lib/libvirt/images /home/aik/virtimg: -rwxrwxrwx. root root system_u:object_r:virt_content_t:s0 Fedora-18-ppc64-DVD.iso /var/lib/libvirt/images: -rwxr...

...module -i mypol.pp grep 546AA6099F /var/log/audit/audit.log | audit2why type=AVC msg=audit(1398199187.646:29332): avc: denied { getattr } for pid=23387 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1398199187.646:29333): avc: denied { read write } for pid=23387 co...

...ro to burn a disk, the burn operation fails. /var/log/audit/audit.log contains the following: type=AVC msg=audit(1556724762.446:1133340): avc: denied { read } for pid=8296 comm="growisofs" name="devices" dev="proc" ino=4026532225 scontext=staff_u:staff_r:cdrecord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 type=AVC msg=audit(1556724762.446:1133341): avc: denied { read } for pid=8296 comm="growisofs" name="meminfo" dev="proc" ino=4026532040 scontext=staff_u:staff_r:cdrecord_t:s0-s0:c0.c1023 tcont...

[root at ipa tftpboot]# semanage fcontext -l | grep tftp /tftpboot directory system_u:object_r:tftpdir_t:s0 /tftpboot/.* all files system_u:object_r:tftpdir_t:s0 /usr/sbin/atftpd regular file system_u:object_r:tftpd_exec_t:s0 /usr/sbin/in\.tftpd regular file system_u:object_r:tftpd_exec_t:s0 /var/lib/tf...

Hello, After updating to CentOS-5.7, I have a (small) problem : The context of /dev/megadev0 is now defined (in /etc/selinux/targeted/contexts/files/file_contexts) as system_u:object_r:removable_device_t:s0. This cause smartmontools to fail : avc: denied { read write } for pid=2847 comm="smartd" name="megadev0" dev=tmpfs ino=8284 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=chr_file Changing the context (of megadev0)...

...ngs and somewhat working. There is a bit of weirdness though. smbclient is only able to access *directories* and not any of the files. Why is that? What am I missing? Here is a log of a test run: [heller at c764guest: ~]$ ls -lZAn total 8424 -rw-------. 1 unconfined_u:object_r:home_root_t:s0 1000 1000 30 Jan 10 2016 .bash_history -rw-r--r--. 1 unconfined_u:object_r:home_root_t:s0 1000 1000 18 Nov 20 2015 .bash_logout -rw-r--r--. 1 unconfined_u:object_r:home_root_t:s0 1000 1000 193 Nov 20 2015 .bash_profile -rw-r--r--. 1 unconfined_u:object_r:home_root_t:s0 1000 1000...

...But when SELinux is in enforcing mode on Server, the commands fail with this message : bash: /usr/bin/xauth: Permission denied and /var/log/audit/audit.log shows the following errors : type=SELINUX_ERR msg=audit(1326381080.364:610): security_compute_sid: invalid context system_u:system_r:xauth_t:s0-s0:c0.c1023 for scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=process type=AVC msg=audit(1326381080.364:610): avc: denied { write } for pid=3487 comm="xauth" path="pipe:[21744]" dev=pipefs ino=21744 scontext=system_u...

...ions; needed to use zfs (zfsonlinux) benefit features). Problem is that disks (files in /dev) which attached to KVM guest has SELinux context which inaccessible from context of smartd process. [root at srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675...

Hi All, Thanks for the information. But after resetting the semanage User/login, and moving the targeted folder to old one and then install the default target. then also its still showing the Id context as context=*system_u:system_r:unconfined_t:s0-s0:c0.c1023.* *What I observed is after changing the permission using semanage command also, its still showing the system_u:system_r. * *Check the semanage login/User output :* *semanage login -l* *Login Name SELinux User MLS/MCS Range Service* *__default__ un...

On Tue, Mar 14, 2017 at 02:46:19PM -0400, Ron Wheeler wrote: > https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html > > If disabling Selinux solves your problem, then your problem may be related > to Selinux. > If it does not change yout problem, you may want to look

...ol/cron/aquota.user , it reports that is no default context for that file. [root at CentOS active]# touch /var/spool/cron/aquota.user [root at CentOS active]# restorecon /var/spool/cron/ [root at CentOS active]# ls -lZ /var/spool/cron/ -rw-r--r--. root root unconfined_u:object_r:user_cron_spool_t:s0 aquota.user [root at CentOS active]# restorecon /var/spool/cron/aquota.user restorecon:? Warning no default label for /var/spool/cron/aquota.user Semanage reports this [root at CentOS active]#? semanage fcontext -l|grep quota /a?quota\.(user|group)???????????????????????????? regular file?????...

.../astdb.sqlite3 > > > [root at localhost ~]# tail -f /var/log/audit/audit.log > type=AVC msg=audit(1489588773.253:1171): avc: denied { read } for pid=3838 comm="asterisk" name="astdb.sqlite3" dev="dm-0" ino=100884225 scontext=system_u:system_r:asterisk_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file > type=SYSCALL msg=audit(1489588773.253:1171): arch=c000003e syscall=2 success=no exit=-13 a0=aa5080 a1=80000 a2=1a4 a3=aa5080 items=0 ppid=1485 pid=3838 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses...

When I compile this program *$ cat vararg1-main.c typedef struct { double d; } S0; S0 g1; void foo0(int a, ...); int main(int argc, char **argv) { S0 s0 = { 2.0 }; foo0(1, s0); printf("%f\n", g1.d); * * return 0; }* with this command, *$ clang -target arm-none-linux-gnueabi-gcc -ccc-clang-archs armv7 -emit-llvm vararg1-main.c -S -o vararg1-main.ll -O...

I am installing a new Samba 4.2 Active Directory server on CentOS 7. I followed the Wiki instructions on how to create the server. I am using sernet-samba 4.2 binaries. Everything seems to be OK on the Linux side but I cannot get any windows client to successfully join the domain. Each attempt returns the following error message "RPC Server in not available". Below are the config file

Hi, since 4.12 Samba SELinux context for /var/run/samba is not correct anymore: ``` root at files:~ # ls -la -Z /var/run/samba/ total 12 drwxr-xr-x. 5 root root system_u:object_r:var_run_t:s0 160 Apr 3 20:42 . drwxr-xr-x. 30 root root system_u:object_r:var_run_t:s0 1000 Apr 3 18:39 .. drwxr-xr-x. 3 root root system_u:object_r:var_run_t:s0 60 Apr 3 18:39 ncalrpc drwxr-xr-x. 2 root root system_u:object_r:var_run_t:s0 60 Apr 3 18:39 nmbd -rw-r--r--. 1 root root system_u:obj...

...s addition of disk images of other guest running on the host. Steps followed to create this scenario : Started two VMs with following security configurations: vm1: <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c219,c564</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c219,c564</imagelabel> </seclabel> vm2 : <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c122,c658</label> &l...

...can figure out that "[2 x i32] %0" was originally a structure consisting of a single double field. When I run llc, it looks like "%0" is being passed in register r1 and r2. *$ llc vararg1-main.ll -o - ldr r0, .LCPI0_0 ldm r0, {r1, r2} .LCPI0_0: .long .Lmain.s0 ... .Lmain.s0: .long 0 @ double 2.000000e+00 * I am running tests to see if llc targeting mips can correctly compile a bitcode file generated by clang-arm. One of the tests is failing, and I was wondering whether this could be a bug in arm-specific part of clang. T...

...all, I have some AVC in the logs and wonder how to resolve this: Under EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs. # tail -1 /etc/fstab tmpfs /var/lib/php/session tmpfs defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0" 0 0 # df -a |grep php tmpfs 16384 0 16384 0% /var/lib/php/session # ls -laZ /var/lib/php/session insgesamt 0 drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24. Jul 15:36 . drwxr-xr-x. 6 root root system_u:object_r:httpd_var_lib_t:s0 68 7....

...pletely it works fine. Here are all the messages from /var/log/messages that are SElinux related: May 28 21:39:15 srsblnfw01 kernel: audit(1180381151.395:10): avc: denied { use } for pid=3012 comm="openvpn" name="null" dev=tmpfs ino=1396 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=fd May 28 21:39:15 srsblnfw01 kernel: audit(1180381151.395:11): avc: denied { use } for pid=3012 comm="openvpn" name="null" dev=tmpfs ino=1396 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=fd May...