Displaying 20 results from an estimated 151 matches for "semodul".
Did you mean:
semodule
2015 Apr 01
1
SEmodule dependency hell.
...ly that, reassign port contexts, in the past without
encountering this situation. So it has to be a recent development. I
am not against SELinux. We use it extensively. But this is not
security it is simply BS.
It is stuff like this that causes people to say just turn selinux off
altogether.
semodule -r apache
libsepol.print_missing_requirements: awstats's global requirements
were not met: type/attribute httpd_log_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file
or directory).
semodule: Failed!
semodule -r awstats
semodule -r apache
li...
2015 Jun 17
2
selinux allow apache log access
>
> That's because there's already a zabbix module loaded (the message isn't
> very informative!). I forgot that the received wisdom is to insert "my" in
> front of ones own modules i.e.:
> grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix
> semodule -i myzabbix.pp
Hmm no luck there either:
[root at monitor2:~] #semodule -i myzabbix.pp
*semodule: Failed on myzabbix.pp!*
I also tried:
[root at monitor2:~] #semodule -i my_zabbix
semodule: Failed on my_zabbix!
And
[root at monitor2:~] #semodule -i my-zabbix
semodule: Failed on my-zabbi...
2015 Jun 17
2
selinux allow apache log access
>
> Try something like:
> grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix
> semodule -i zabbix.pp
Thanks for your response! However this is what happens when I try to
install the module:
[root at monitor2:~] #semodule -i zabbix.pp
libsepol.print_missing_requirements: zabbix's global requirements were not
met: type/attribute zabbix_t (No such file or directory).
libsemanag...
2020 Nov 20
2
selinux policy (& engine) broken in C7
hi guys
I've just gotten a bunch of updates via yum and something
weird seems to be going on after the update.
System has:
selinux-policy-3.13.1-268.el7_9.2.noarch
selinux-policy-targeted-3.13.1-268.el7_9.2.noarch
actually three different boxes, all the same:
$ semodule -l
No modules.
and an attempt to install modules fails:
$ semodule -i openvpn.pp
Failed to resolve typeattributeset statement at
/etc/selinux/targeted/tmp/modules/400/pe-openvpn/cil:1
semodule:? Failed!
Does above "usual" work for you?
many thanks, L.
2015 Jun 17
2
selinux allow apache log access
>
> What turns up in myzabbix.te?
Same deal. :(
#semodule -i myzabbix.te
semodule: Failed on myzabbix.te!
sigh... but thanks any other clues?
On Wed, Jun 17, 2015 at 11:42 AM, Harold Toms <h.toms at qmul.ac.uk> wrote:
> On 17/06/15 16:29, Tim Dunphy wrote:
>
>> That's because there's already a zabbix module loaded (the mess...
2007 Jul 19
1
semodule - global requirements not met
...{ add_name getattr read remove_name
search write };
allow amavis_t mqueue_spool_t:file { create getattr lock read rename
unlink write };
allow amavis_t sbin_t:lnk_file read;
allow amavis_t sendmail_exec_t:file { execute execute_no_trans read };
allow amavis_t var_lib_t:dir search;
- now I do 'semodule -i amavis.pp' to load the module- but instead of
working I instead get this error:
libsepol.print_missing_requirements: amavis's global requirements were
not met: type/attribute amavis_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
Anyone know the next step...
2015 Jun 17
0
selinux allow apache log access
...hat's because there's already a zabbix module loaded (the message isn't
>> very informative!). I forgot that the received wisdom is to insert "my" in
>> front of ones own modules i.e.:
>> grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix
>> semodule -i myzabbix.pp
>
>
> Hmm no luck there either:
>
> [root at monitor2:~] #semodule -i myzabbix.pp
> *semodule: Failed on myzabbix.pp!*
>
> I also tried:
>
> [root at monitor2:~] #semodule -i my_zabbix
> semodule: Failed on my_zabbix!
>
> And
>
> [root...
2020 Feb 26
3
CentOS 7 : SELinux trouble with Fail2ban
...n the disable file by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # ausearch -c 'f2b/server' --raw | audit2allow -M my-f2bserver
>> # semodule -i my-f2bserver.pp
>> Weirdly enough, when I follow this suggestion and then empty audit.log and restart my server, I still get the exact same error again.
>
> I reinstalled this server from scratch and took some notes. This time I was successful, though I don't know exactly what...
2020 Feb 26
5
CentOS 7 : SELinux trouble with Fail2ban
...elieve that python2.7 should be allowed read access on the disable file
by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'f2b/server' --raw | audit2allow -M my-f2bserver
# semodule -i my-f2bserver.pp
Weirdly enough, when I follow this suggestion and then empty audit.log and
restart my server, I still get the exact same error again.
Which makes Fail2ban unusable with SELinux in enforcing mode in the current state.
Any suggestions ?
Niki
--
Microlinux - Solutions inform...
2015 Apr 02
0
SEmodule dependency hell.
File a bug!!!
On 2 April 2015 at 16:20, James B. Byrne <byrnejb at harte-lyne.ca> wrote:
>
> On Wed, April 1, 2015 16:09, Andrew Holway wrote:
> > I used the command: semanage port -m -t http_port_t -p tcp 8000
> > to relabel a port. perhaps you could try:
> > "semanage port -m -t unconfined_t -p tcp 8000"
> > Failing that; would it work to run your
2017 Feb 12
2
Centos7 and old Bind bug
...I'm not seeing those errors logged, either, so maybe your system
> differs from mine. If I'm misreading, hopefully someone will chime in
> to clarify.
... Also, it might be useful to get the AVCs on your system. The bug
entry indicated that you'd need to enable debugging (semodule -DB, and
later use semodule -B to disable debugging) to get them. While in
debugging mode, audit.log should contain confirmation that SELinux is
blocking the port use. That log entry should tell us more about how to
address the problem.
2020 Nov 21
0
selinux policy (& engine) broken in C7
...ve just gotten a bunch of updates via yum and something
> weird seems to be going on after the update.
> System has:
>
> selinux-policy-3.13.1-268.el7_9.2.noarch
> selinux-policy-targeted-3.13.1-268.el7_9.2.noarch
>
> actually three different boxes, all the same:
>
> $ semodule -l
> No modules.
>
> and an attempt to install modules fails:
>
> $ semodule -i openvpn.pp
> Failed to resolve typeattributeset statement at
> /etc/selinux/targeted/tmp/modules/400/pe-openvpn/cil:1
> semodule: Failed!
I have a smilar issue after the latest CentOS 7 upda...
2010 Jul 23
1
postgresql copy to and selinux
I need to run a "copy table to '/home/user/dir/copy.txt';" but I get
permission denied. Filesystem dir modes are ok and I get no event
logged in audit.log, but if I setenforce 0, I can do the copy. This
explains auditd silence:
# sesearch --audit |egrep postgres.*home
dontaudit postgresql_t user_home_dir_t : dir { getattr search };
dontaudit postgresql_t home_root_t : dir
2020 Feb 13
3
CentOS 7, Fail2ban and SELinux
...believe that python2.7 should be allowed read access on the disable file
by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd
# semodule -i my-f2bfsshd.pp
...
As far as I can tell - and please correct me if I'm wrong - if a package
doesn't play well with SELinux in the default configuration, this should be
considered as a bug. In that case, the appropriate reaction would be to file a
bug on the EPEL mailing list, since...
2017 Oct 09
2
Can't get Samba 4.4.4 going on CentOS 7.3.1611
Hi folks,
I've been googling for an hour on this which seems to be awfully
basic. But I cannot find anything definitive.
[root at centos-gig ~]# systemctl enable smb.service
Failed to execute operation: Access denied
[root at centos-gig ~]# setenforce 0
[root at centos-gig ~]# systemctl enable smb.service
Failed to execute operation: No such file or directory
Have tried things like :
chcon
2017 Apr 25
3
NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 06:45 PM, Gordon Messmer wrote:
> On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote:
>> Quick?n?(really) dirty SELinux howto:
>
>
> Alternate process:
>
> 1: setenforce permissive
> 2: tail -f /var/log/audit/audit.log | grep AVC
> 3: use the service, exercise each function that's constrained by the
> existing policy
> 4: copy and paste the
2015 Jun 20
2
puppet files denied by SELinux
...t; ino=1842005 scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file
And audit2allow told me this:
#grep puppet /var/log/audit/audit.log | audit2allow -M puppet
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i puppet.pp
But in installing the module I get an error I've never seen before:
#semodule -i puppet.pp
libsepol.print_missing_requirements: foreman's global requirements were not
met: type/attribute puppet_var_lib_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link pa...
2015 Jun 16
2
selinux allow apache log access
Hey guys,.
I have a centos 7 machine I'm using as a zabbix server. And I noticed that
apache won't start, with this complaint in the error log:
(13)Permission denied: AH00091: httpd: could not open error log file
/var/log/zabbix_error_log.
AH00015: Unable to open logs
I tried having a look at audit2allow and this is the response I get back:
[root at monitor2:/etc/httpd] #grep http
2017 Oct 09
3
Samba won't start on Centos 7.3.1611
Hi folks,
I've been googling for an hour on this which seems to be awfully
basic. But I cannot find anything definitive.
[root at centos-gig ~]# systemctl enable smb.service
Failed to execute operation: Access denied
[root at centos-gig ~]# setenforce 0
[root at centos-gig ~]# systemctl enable smb.service
Failed to execute operation: No such file or directory
Have tried things like :
chcon
2015 Apr 02
2
SEmodule dependency hell.
On Wed, April 1, 2015 16:09, Andrew Holway wrote:
> I used the command: semanage port -m -t http_port_t -p tcp 8000
> to relabel a port. perhaps you could try:
> "semanage port -m -t unconfined_t -p tcp 8000"
> Failing that; would it work to run your application in the httpd_t
> domain?
>
I ended up having to create a custom policy to allow the other
application to