search for: seinfo

On May 4, 2018, at 5:13 PM, Gordon Messmer <gordon.messmer at gmail.com> wrote: > > On 05/04/2018 12:03 PM, Warren Young wrote: >> ?there is a command down in section 2 that gives an error here on CentOS 7: >> >> $ sudo semanage fcontext ?at samba_share_t /path/to/share >> ?noise noise noise? >> semanage: error: unrecognized arguments:

...er, another label, svirt_socket_t, which is accessible from virt_domain: # sesearch -A -s svirt_t -c unix_stream_socket -p connectto ... allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... }; ... And virt_domain is a type attribute of both svirt_t and svirt_tcg_t: # seinfo -x -a virt_domain Type Attributes: 1 attribute virt_domain; svirt_t svirt_tcg_t Resolves: https://bugzilla.redhat.com/1698437 Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- v2v/input_libvirt_vddk.ml | 2 +- v2v/output_rhv_upload.ml | 2 +- 2 files ch...

On 09/09/2018 07:19 AM, Daniel Walsh wrote: > sesearch -A -s httpd_t -t system_conf_t -p read > > If you feel that these files should not be part of the base_ro_files > then we should open that for discussion. I think the question was how users would know that the policy allowed access, as he was printing rules affecting httpd_t's file read access, and looking for

...allow domain rpm_transition_domain : fifo_file { ioctl read write getattr lock append } ; allow domain base_ro_file_type : file { ioctl read getattr lock open } ; Looking for sysctl.conf's type : # for m in tmpfile configfile rpm_transition_domain base_ro_file_type ; do echo ${m}:$(seinfo -a${m} -x |grep system_conf_t) ; done tmpfile: configfile: system_conf_t rpm_transition_domain: base_ro_file_type: system_conf_t If the output of sesearch shows the preferred order then the "configfile" attribute allows actually the access ?? > If you feel that these files should...

...ible from > virt_domain: > > # sesearch -A -s svirt_t -c unix_stream_socket -p connectto > ... > allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... }; > ... > > And virt_domain is a type attribute of both svirt_t and svirt_tcg_t: > > # seinfo -x -a virt_domain > Type Attributes: 1 > attribute virt_domain; > svirt_t > svirt_tcg_t > > Resolves: https://bugzilla.redhat.com/1698437 > > Signed-off-by: Martin Kletzander <mkletzan@redhat.com> > --- > v2v/input_libvirt_vddk.ml |...

...nage [-h] > > {import,export,login,user,port,interface,module,node, > fcontext,boolean,permissive,dontaudit} > ... > semanage: error: unrecognized arguments: samba_share_t > '/path/to/share(/.*)?' You can check the labels using seinfo -t, below is what I had for samba samba_etc_t samba_initrc_exec_t samba_log_t samba_net_exec_t samba_net_t samba_net_tmp_t samba_secrets_t samba_share_t samba_spool_t samba_unconfined_net_t samba_unconfined_script_exec_t samba_unconfined_script_t samba_unit_f...

...checked for errors further into this commit. > + 1. Finding the right context to use as you manage a system is difficult. One place to start is ''ls -Z''. Look at the directories and data pre-installed by a package and copy the contexts already used. The next tool is ''seinfo -t'' which lists all contexts currently in use on your system. grep for the name of your application. > + 1. ''audit2allow'' is actually easier to use than presented here. When you have a conflict between two contexts, find the error messages in ''audit.log'&...

I seem to have quieted some, but I'm still getting noise from selinux. Here's one that really puzzles me: my users have a ruby app with passenger running. However, one of the sealerts gives me: sealert -l 5a02b0a1-8512-4f71-b1c8-70a40b090a9d SELinux is preventing /bin/chmod from using the fowner capability. ***** Plugin catchall_boolean (89.3 confidence) suggests *******************

Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: > > On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >> Any SElinux expert here - briefly: >> >> # getenforce >> Enforcing >> >> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >> <no output> >> >> # sesearch -ACR -s httpd_t -c file