search for: selinuxtyp

Displaying 20 results from an estimated 35 matches for "selinuxtyp".

Did you mean: selinuxtype
2018 Jan 31
1
[PATCH] customize: allow missing SELINUXTYPE in SELinux config
libselinux defaults to "targeted" when no SELINUXTYPE is specified in /etc/config/selinux. Hence do the same here, instead of failing because of the missing key. Add a slow test for checking SELinux relabeling on a Fedora 27 guest, both with no changes, and with a modified configuration. --- customize/Makefile.am | 2 ++ customize/SELi...
2020 May 18
2
Re: [PATCH libguestfs-common 2/2] mlcustomize: Fall back to autorelabel if specfile does not exist (RHBZ#1828952).
On Tuesday, 5 May 2020 17:44:15 CEST Richard W.M. Jones wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2 I think we need to do a different approach than this patch. The biggest thing is that currently we check only SELINUXTYPE for the actual policy, however we do not check SELINUX in case SELinux is in enforcing mode at all. IMHO we rather need to read /etc/selinux/<SELINUX> first: - if enforcing, go ahead with the current relabeling: check SELINUXTYPE, get the policy path, etc; if set like this, then most prob...
2014 Dec 30
3
can't enable selinux CentOS 6.5
.../selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted And when I check if it's enabled this is what I get: [root at beta-new:~] #getenforce Disabled But when I go to set SELinux to enabled, ev...
2020 May 05
3
[PATCH libguestfs-common 1/2] mlcustomize: Refactor SELinux_relabel code.
...e fallback in case something in the setfiles + * method didn't work. That includes the case where a non-SELinux + * host is processing an SELinux guest, and other things. *) - let policy = - let config_path = "/files/etc/selinux/config" in - let selinuxtype_path = config_path ^ "/SELINUXTYPE" in - let keys = g#aug_ls config_path in - if array_find selinuxtype_path keys then - g#aug_get selinuxtype_path - else - "targeted" in + g#touch "/.autorelabel" + ) - g#aug_close (...
2007 Mar 12
2
selinux disable but still working
.../config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disable # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted But during the boot i see selinux warnings and some software wan't start correctly: audit(1173699978.909:2): avc: deni...
2020 Jun 24
0
Re: [PATCH libguestfs-common 2/2] mlcustomize: Fall back to autorelabel if specfile does not exist (RHBZ#1828952).
...12:29AM +0200, Pino Toscano wrote: > On Tuesday, 5 May 2020 17:44:15 CEST Richard W.M. Jones wrote: > > https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2 > > I think we need to do a different approach than this patch. > > The biggest thing is that currently we check only SELINUXTYPE for the > actual policy, however we do not check SELINUX in case SELinux is in > enforcing mode at all. > > IMHO we rather need to read /etc/selinux/<SELINUX> first: > - if enforcing, go ahead with the current relabeling: check SELINUXTYPE, > get the policy path, etc; if...
2014 May 26
2
[PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
...FSD_EXT_CMD(str_setfiles, setfiles); + #if defined(HAVE_LIBSELINUX) int @@ -92,28 +96,188 @@ OPTGROUP_SELINUX_NOT_AVAILABLE #endif /* !HAVE_LIBSELINUX */ int -do_selinux_relabel (const char *root) +optgroup_selinuxtools_available (void) +{ + return prog_exists (str_setfiles); +} + +#define SELINUXTYPE "SELINUXTYPE" + +static int +has_selinux_mountpoint (void) +{ + static int has_mp = -1; + if (has_mp == -1) { + struct stat sb; + dev_t root_dev; + + if (stat ("/", &sb) == -1) + return -1; + root_dev = sb.st_dev; + + if (stat ("/sys/fs/selinux&qu...
2020 Sep 23
6
[common PATCH 0/3] SELinux_relabel: relabel only if enforcing (RHBZ#1828952)
Continuation/rework of: https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html This is my approach, as I explained here: https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4 https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html IOW: do not attempt to relabel if the guest is not enforcing, as it is either useless or may fail; few words more are in the comments of patch #3.
2018 Feb 07
1
[PATCH] customize: avoid Array.mem for now
...(Array.to_list l) + let relabel (g : G.guestfs) = (* Is the guest using SELinux? *) if g#is_file ~followsymlinks:true "/usr/sbin/load_policy" && @@ -44,7 +48,7 @@ let relabel (g : G.guestfs) = let config_path = "/files/etc/selinux/config" in let selinuxtype_path = config_path ^ "/SELINUXTYPE" in let keys = g#aug_ls config_path in - if Array.mem selinuxtype_path keys then + if array_find selinuxtype_path keys then g#aug_get selinuxtype_path else "targeted" in -- 2.14.3
2020 May 05
0
[PATCH libguestfs-common 2/2] mlcustomize: Fall back to autorelabel if specfile does not exist (RHBZ#1828952).
https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2 If SELINUXTYPE is set to some value other than targeted then we look for a directory /etc/selinux/<SELINUXTYPE> which does not exist. However this should not cause a fatal error. Using setfiles to do the relabelling immediately is a nice-to-have, but we can fallback to using autorelabel if we're unabl...
2014 Dec 30
0
can't enable selinux CentOS 6.5
...the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - No SELinux policy is loaded. > SELINUX=enforcing > # SELINUXTYPE= can take one of these two values: > # targeted - Targeted processes are protected, > # mls - Multi Level Security protection. > SELINUXTYPE=targeted > > > And when I check if it's enabled this is what I get: > > [root at beta-new:~] #getenforce > Disabled &g...
2014 Dec 30
2
can't enable selinux CentOS 6.5
...the system. >> # SELINUX= can take one of these three values: >> # enforcing - SELinux security policy is enforced. >> # permissive - SELinux prints warnings instead of enforcing. >> # disabled - No SELinux policy is loaded. >> SELINUX=enforcing >> # SELINUXTYPE= can take one of these two values: >> # targeted - Targeted processes are protected, >> # mls - Multi Level Security protection. >> SELINUXTYPE=targeted >> >> >> And when I check if it's enabled this is what I get: >> >> [root at beta-new...
2017 Apr 13
0
Access denied to change share security staff
...x/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root at gtmpve selinux]# setenforce 0 setenforce: SELi...
2014 May 24
9
SELinux relabel API
[ I realized that we were discussing adding this feature, in various private email, IRC, and this long bugzilla thread: https://bugzilla.redhat.com/show_bug.cgi?id=1060423 That's not how we should do things. Let's discuss it on the mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment
2005 Aug 31
1
SELinux
I'm probably dense - CentOS 4.1 # cat /etc/sysconfig/selinux ..snip... SELINUXTYPE=targeted # su - Alec # tail -n 3 /var/log/messages Aug 31 08:48:26 srv1 su(pam_unix)[31435]: session opened for user Alec by root(uid=0) Aug 31 08:48:26 srv1 su[31435]: Warning! Could not relabel /dev/pts/0 with user_u:object_r:devpts_t, not relabeling.Operation not permitted Aug 31 08:48:27 srv...
2010 Apr 19
0
That the Linux bridge configuration does not work afer I upgraded the kernel to 2.6.33.2.
...t /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted [root at node78 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot...
2017 Apr 13
2
Access denied to change share security staff
On Thu, 13 Apr 2017 09:28:09 -0400 Rommel Rodriguez Toirac via samba <samba at lists.samba.org> wrote: > > I follow step by step Setting up a Share Using Windows ACLs from > wiki, but still I have an Access denied when try to change the > permissions of share or when try to change Security ACL. As sugesst > Rowland I do not change the permissions using Unix, just create the
2009 Sep 04
3
System Recovery
...config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 [rj at mavis ~]$ Does anyone have any ideas how I might att...
2008 Mar 07
1
Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?
The raw socket option in the kernel only allows privileged processes to open them. Selinux controls which privileged processes have the right to. To allow an unprivileged process to access a raw socket you will need to write a proxy daemon that runs privileged and is allowed in selinux to create a raw socket. This daemon can then provide a unix socket to unprivileged processes whose access can
2020 Sep 23
0
[common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)
...missive" mode SELinux is still running, however nothing is + * enforced: this means labels can be wrong, and "it is fine" + * - when "disabled" means SELinux is not running, so any relabelling + * is pointless (other than potentially fail due to an invalid + * SELINUXTYPE configuration) + *) + if typ <> "enforcing" then + raise SELinux_not_enforcing; + (* Get the SELinux policy name, eg. "targeted", "minimum". * Use "targeted" if not specified, just like libselinux does. *) -- 2.26.2