search for: selinuxtype

libselinux defaults to "targeted" when no SELINUXTYPE is specified in /etc/config/selinux. Hence do the same here, instead of failing because of the missing key. Add a slow test for checking SELinux relabeling on a Fedora 27 guest, both with no changes, and with a modified configuration. --- customize/Makefile.am | 2 ++ customize/SELin...

On Tuesday, 5 May 2020 17:44:15 CEST Richard W.M. Jones wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2 I think we need to do a different approach than this patch. The biggest thing is that currently we check only SELINUXTYPE for the actual policy, however we do not check SELINUX in case SELinux is in enforcing mode at all. IMHO we rather need to read /etc/selinux/<SELINUX> first: - if enforcing, go ahead with the current relabeling: check SELINUXTYPE, get the policy path, etc; if set like this, then most proba...

.../selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted And when I check if it's enabled this is what I get: [root at beta-new:~] #getenforce Disabled But when I go to set SELinux to enabled, eve...

...e fallback in case something in the setfiles + * method didn't work. That includes the case where a non-SELinux + * host is processing an SELinux guest, and other things. *) - let policy = - let config_path = "/files/etc/selinux/config" in - let selinuxtype_path = config_path ^ "/SELINUXTYPE" in - let keys = g#aug_ls config_path in - if array_find selinuxtype_path keys then - g#aug_get selinuxtype_path - else - "targeted" in + g#touch "/.autorelabel" + ) - g#aug_close ()...

.../config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disable # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted But during the boot i see selinux warnings and some software wan't start correctly: audit(1173699978.909:2): avc: denie...

...12:29AM +0200, Pino Toscano wrote: > On Tuesday, 5 May 2020 17:44:15 CEST Richard W.M. Jones wrote: > > https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2 > > I think we need to do a different approach than this patch. > > The biggest thing is that currently we check only SELINUXTYPE for the > actual policy, however we do not check SELINUX in case SELinux is in > enforcing mode at all. > > IMHO we rather need to read /etc/selinux/<SELINUX> first: > - if enforcing, go ahead with the current relabeling: check SELINUXTYPE, > get the policy path, etc; if...

...FSD_EXT_CMD(str_setfiles, setfiles); + #if defined(HAVE_LIBSELINUX) int @@ -92,28 +96,188 @@ OPTGROUP_SELINUX_NOT_AVAILABLE #endif /* !HAVE_LIBSELINUX */ int -do_selinux_relabel (const char *root) +optgroup_selinuxtools_available (void) +{ + return prog_exists (str_setfiles); +} + +#define SELINUXTYPE "SELINUXTYPE" + +static int +has_selinux_mountpoint (void) +{ + static int has_mp = -1; + if (has_mp == -1) { + struct stat sb; + dev_t root_dev; + + if (stat ("/", &sb) == -1) + return -1; + root_dev = sb.st_dev; + + if (stat ("/sys/fs/selinux&quo...

Continuation/rework of: https://www.redhat.com/archives/libguestfs/2020-May/msg00020.html This is my approach, as I explained here: https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c4 https://www.redhat.com/archives/libguestfs/2020-May/msg00035.html IOW: do not attempt to relabel if the guest is not enforcing, as it is either useless or may fail; few words more are in the comments of patch #3.

...(Array.to_list l) + let relabel (g : G.guestfs) = (* Is the guest using SELinux? *) if g#is_file ~followsymlinks:true "/usr/sbin/load_policy" && @@ -44,7 +48,7 @@ let relabel (g : G.guestfs) = let config_path = "/files/etc/selinux/config" in let selinuxtype_path = config_path ^ "/SELINUXTYPE" in let keys = g#aug_ls config_path in - if Array.mem selinuxtype_path keys then + if array_find selinuxtype_path keys then g#aug_get selinuxtype_path else "targeted" in -- 2.14.3

https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2 If SELINUXTYPE is set to some value other than targeted then we look for a directory /etc/selinux/<SELINUXTYPE> which does not exist. However this should not cause a fatal error. Using setfiles to do the relabelling immediately is a nice-to-have, but we can fallback to using autorelabel if we're unable...

...the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - No SELinux policy is loaded. > SELINUX=enforcing > # SELINUXTYPE= can take one of these two values: > # targeted - Targeted processes are protected, > # mls - Multi Level Security protection. > SELINUXTYPE=targeted > > > And when I check if it's enabled this is what I get: > > [root at beta-new:~] #getenforce > Disabled &gt...

...the system. >> # SELINUX= can take one of these three values: >> # enforcing - SELinux security policy is enforced. >> # permissive - SELinux prints warnings instead of enforcing. >> # disabled - No SELinux policy is loaded. >> SELINUX=enforcing >> # SELINUXTYPE= can take one of these two values: >> # targeted - Targeted processes are protected, >> # mls - Multi Level Security protection. >> SELINUXTYPE=targeted >> >> >> And when I check if it's enabled this is what I get: >> >> [root at beta-new:...

...x/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root at gtmpve selinux]# setenforce 0 setenforce: SELin...

[ I realized that we were discussing adding this feature, in various private email, IRC, and this long bugzilla thread: https://bugzilla.redhat.com/show_bug.cgi?id=1060423 That's not how we should do things. Let's discuss it on the mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment

I'm probably dense - CentOS 4.1 # cat /etc/sysconfig/selinux ..snip... SELINUXTYPE=targeted # su - Alec # tail -n 3 /var/log/messages Aug 31 08:48:26 srv1 su(pam_unix)[31435]: session opened for user Alec by root(uid=0) Aug 31 08:48:26 srv1 su[31435]: Warning! Could not relabel /dev/pts/0 with user_u:object_r:devpts_t, not relabeling.Operation not permitted Aug 31 08:48:27 srv1...

...t /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted [root at node78 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot...

On Thu, 13 Apr 2017 09:28:09 -0400 Rommel Rodriguez Toirac via samba <samba at lists.samba.org> wrote: > > I follow step by step Setting up a Share Using Windows ACLs from > wiki, but still I have an Access denied when try to change the > permissions of share or when try to change Security ACL. As sugesst > Rowland I do not change the permissions using Unix, just create the

...config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 [rj at mavis ~]$ Does anyone have any ideas how I might atta...

The raw socket option in the kernel only allows privileged processes to open them. Selinux controls which privileged processes have the right to. To allow an unprivileged process to access a raw socket you will need to write a proxy daemon that runs privileged and is allowed in selinux to create a raw socket. This daemon can then provide a unix socket to unprivileged processes whose access can

...missive" mode SELinux is still running, however nothing is + * enforced: this means labels can be wrong, and "it is fine" + * - when "disabled" means SELinux is not running, so any relabelling + * is pointless (other than potentially fail due to an invalid + * SELINUXTYPE configuration) + *) + if typ <> "enforcing" then + raise SELinux_not_enforcing; + (* Get the SELinux policy name, eg. "targeted", "minimum". * Use "targeted" if not specified, just like libselinux does. *) -- 2.26.2