Displaying 20 results from an estimated 27 matches for "sesearch".
Did you mean:
research
2018 Sep 09
3
Type enforcement / mechanism not clear
Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>:
>
> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
>> Any SElinux expert here - briefly:
>>
>> # getenforce
>> Enforcing
>>
>> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
>> <no output>
>>
>> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t
>> <no output>
>>
>> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf
>> -rw-r--r--. root root system_u:objec...
2018 Sep 09
1
Type enforcement / mechanism not clear
On 09/09/2018 07:19 AM, Daniel Walsh wrote:
> sesearch -A -s httpd_t -t system_conf_t -p read
>
> If you feel that these files should not be part of the base_ro_files
> then we should open that for discussion.
I think the question was how users would know that the policy allowed
access, as he was printing rules affecting httpd_t's file...
2018 Sep 10
1
Type enforcement / mechanism not clear
...09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>:
>>> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
>>>> Any SElinux expert here - briefly:
>>>>
>>>> # getenforce
>>>> Enforcing
>>>>
>>>> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
>>>> <no output>
>>>>
>>>> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t
>>>> <no output>
>>>>
>>>> # ls -laZ /etc/sysctl.conf /etc/rsyslog.co...
2018 Sep 09
2
Type enforcement / mechanism not clear
Any SElinux expert here - briefly:
# getenforce
Enforcing
# sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
<no output>
# sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t
<no output>
# ls -laZ /etc/sysctl.conf /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf
-rw-r--r--. root root s...
2016 Jul 05
4
How to have more than on SELinux context on a directory
...or
> samba_share_t).
> Or use audit2allow to add necessary allow rules to an existing type.
> Any of the above could be a major PITA.
Some links and commands which might be useful if you really need this
done:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types
# sesearch --help
# sesearch --allow -t samba_share_t
# sesearch --allow -t tftpdir_rw_t
2018 Sep 09
0
Type enforcement / mechanism not clear
...via CentOS wrote:
> Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>:
>> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
>>> Any SElinux expert here - briefly:
>>>
>>> # getenforce
>>> Enforcing
>>>
>>> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
>>> <no output>
>>>
>>> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t
>>> <no output>
>>>
>>> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf
>>> -rw-r--r--...
2016 Jul 05
3
How to have more than on SELinux context on a directory
Hello,
I need to have the tftpdir_rw_t and samba_share_t SELinux context on
the same directory.
How can we do this? Is it feasible to have more than one SELinux context?
Thanks,
Bernard
2016 Jul 06
0
How to have more than on SELinux context on a directory
...udit2allow to add necessary allow rules to an existing type.
>> Any of the above could be a major PITA.
>>
>
> Some links and commands which might be useful if you really need this done:
>
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types
>
> # sesearch --help
> # sesearch --allow -t samba_share_t
> # sesearch --allow -t tftpdir_rw_t
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
2018 Sep 09
0
Type enforcement / mechanism not clear
On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
> Any SElinux expert here - briefly:
>
>
> # getenforce
> Enforcing
>
> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
> <no output>
>
> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t
> <no output>
>
> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf
> -rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsys...
2019 May 27
2
[PATCH] Use proper label for nbdkit sockets
...s it does not always guarantee that it will
be accessible from a virtual machine. The VM might be running under svirt_tcg_t
context which will need a svirt_tcg_t label on the socket in order to access it.
There is, however, another label, svirt_socket_t, which is accessible from
virt_domain:
# sesearch -A -s svirt_t -c unix_stream_socket -p connectto
...
allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... };
...
And virt_domain is a type attribute of both svirt_t and svirt_tcg_t:
# seinfo -x -a virt_domain
Type Attributes: 1
attribute virt_domain;
sv...
2017 Feb 12
3
Centos7 and old Bind bug
This is my new Centos7 DNS server.
In logwatch I am seeing:
**Unmatched Entries**
dispatch 0xb4378008: open_socket(0.0.0.0#5546) -> permission denied: continuing: 1 Time(s)
dispatch 0xb4463008: open_socket(::#1935) -> permission denied: continuing: 1 Time(s)
dispatch 0xb4464440: open_socket(::#8554) -> permission denied: continuing: 1 Time(s)
dispatch 0xb4464440:
2016 Jul 06
2
How to have more than on SELinux context on a directory
...(either samba_share_t or tftpdir_rw_t).
BTW have you really tried to access files labelled with tftpdir_rw_t via
samba or vise versa? There's already a number of rules in the default
policy which allow ftp access to samba shares and smb/nmb access to
files labelled with tftpdir_rw_t. Eg
# sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp
allow ftpd_t samba_share_t : file { ioctl read write create getattr
setattr lock append unlink link rename open } ;
allow ftpd_t samba_share_t : dir { ioctl read write create getattr
setattr lock unlink link rename add_name remove_n...
2020 Jul 02
2
Re: Two questions about NVDIMM devices
Daniel P. Berrangé <berrange@redhat.com> writes:
> On Thu, Jul 02, 2020 at 01:21:15PM +0200, Milan Zamazal wrote:
>> Hi,
>>
>
>> I've met two situations with NVDIMM support in libvirt where I'm not
>> sure all the parties (libvirt & I) do the things correctly.
>>
>> The first problem is with memory alignment and size changes. In
2019 May 28
0
Re: [PATCH] Use proper label for nbdkit sockets
...n the socket in order to access it.
I don't really know enough about SELinux or the sVirt policy to
comment on this, but it's plausible so I'll push it soon, thanks.
Rich.
> There is, however, another label, svirt_socket_t, which is accessible from
> virt_domain:
>
> # sesearch -A -s svirt_t -c unix_stream_socket -p connectto
> ...
> allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... };
> ...
>
> And virt_domain is a type attribute of both svirt_t and svirt_tcg_t:
>
> # seinfo -x -a virt_domain
> Type Attributes: 1...
2017 Feb 12
0
Centos7 and old Bind bug
...was assigned to the selinux-policy component,
where it was CLOSED NOTABUG, and then mistakenly marked CLOSED ERRATA.
The solution is probably to specify the allowed ports. However, I must
be reading something wrong, because on my system, it looks like named_t
is allowed to use those ports.
# sesearch -A -s named_t | grep port | grep bind
...indicates that named_t is allowed to bind to both unreserved
ports and ephemeral ports.
# semanage port -l | grep unreserved_port_t
unreserved_port_t tcp 61001-65535, 1024-32767
unreserved_port_t udp 61001-65535, 1...
2020 Apr 13
0
SELinux denies login
...avc: denied { unlink } for
pid=28735 comm="krb5_child" name="krb5cc_1985100122_oxJnH7" dev="dm-0"
ino=67978294 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
The policy allows sssd_t to unlink user_tmp_type:
sesearch -s sssd_t --allow:
allow sssd_t user_tmp_type : file { ioctl read write create getattr
setattr lock relabelfrom relabelto append unlink link rename open } ;
Is the problem that the credential cache files in /tmp are being created
with the wrong label, or is there some other problem I'm...
2012 Nov 22
0
Still cannot manage folders through Samba4 with SELinux samba_export_all_rw enabled
...nt_rw_t by issuing:
semanage fcontext -a -t public_content_rw_t '/myrootfolder(/.*)?'
restorecon -R -v /myrootfolder
After that I can indeed create, write and update files anywhere in the
share and its subfolders, I can also delete folders, but I cannot create
or rename folders though!
sesearch --allow -C | grep samba_export_all_rw:
DT allow smbd_t noxattrfs : file { ioctl read getattr lock open } ; [
samba_export_all_rw ]
DT allow smbd_t noxattrfs : dir { getattr search open } ; [
samba_export_all_rw ]
DT allow smbd_t non_security_file_type : file { ioctl read write create
getattr set...
2013 Jul 19
1
xen (XSM policy) : Unload and analysis tool.
Hi all,
i want to know about the following things:
1.unloading XSM policy.
-xl loadpolicy xenpolicy.24
to load the policy. For unloading is there any command is available.?
2. i want to know any analysis tool is available for XSM policy.
3. Apart from wiki.org/XSM any other tutorial is available for developing
own XSM policy.?
Thanks and regards,
cooldharma06.
2010 Jul 23
1
postgresql copy to and selinux
I need to run a "copy table to '/home/user/dir/copy.txt';" but I get
permission denied. Filesystem dir modes are ok and I get no event
logged in audit.log, but if I setenforce 0, I can do the copy. This
explains auditd silence:
# sesearch --audit |egrep postgres.*home
dontaudit postgresql_t user_home_dir_t : dir { getattr search };
dontaudit postgresql_t home_root_t : dir { getattr search };
I changed the "dir" type to tmpfs_t and I could write with "\copy" but
not with "copy".
Anyway, what are...
2023 Oct 17
1
"Could not create listener socket on port" error only when using systemd service
...have verified it's not).
>
> What are these multiple listening sockets you've got going btw? Sounds
> related. Post the part of the config for this if you're able.
>
It's rather caused by a SELinux policy which only allows icecast daemon to
listen on TCP/8000 port:
# sesearch --allow -s icecast_t -c tcp_socket
[...]
allow icecast_t port_type:tcp_socket name_bind; [ icecast_use_any_tcp_ports ]:True
allow icecast_t port_type:tcp_socket name_connect; [ icecast_use_any_tcp_ports ]:True
allow icecast_t port_type:tcp_socket { recv_msg send_msg }; [ icecast_use_any_tcp_ports ]...