search for: sesearch

Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: > > On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >> Any SElinux expert here - briefly: >> >> # getenforce >> Enforcing >> >> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >> <no output> >> >> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t >> <no output> >> >> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf >> -rw-r--r--. root root system_u:objec...

On 09/09/2018 07:19 AM, Daniel Walsh wrote: > sesearch -A -s httpd_t -t system_conf_t -p read > > If you feel that these files should not be part of the base_ro_files > then we should open that for discussion. I think the question was how users would know that the policy allowed access, as he was printing rules affecting httpd_t's file...

...09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: >>> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >>>> Any SElinux expert here - briefly: >>>> >>>> # getenforce >>>> Enforcing >>>> >>>> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >>>> <no output> >>>> >>>> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t >>>> <no output> >>>> >>>> # ls -laZ /etc/sysctl.conf /etc/rsyslog.co...

Any SElinux expert here - briefly: # getenforce Enforcing # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t <no output> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t <no output> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf -rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf -rw-r--r--. root root s...

...or > samba_share_t). > Or use audit2allow to add necessary allow rules to an existing type. > Any of the above could be a major PITA. Some links and commands which might be useful if you really need this done: http://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types # sesearch --help # sesearch --allow -t samba_share_t # sesearch --allow -t tftpdir_rw_t

...via CentOS wrote: > Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: >> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >>> Any SElinux expert here - briefly: >>> >>> # getenforce >>> Enforcing >>> >>> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >>> <no output> >>> >>> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t >>> <no output> >>> >>> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf >>> -rw-r--r--...

Hello, I need to have the tftpdir_rw_t and samba_share_t SELinux context on the same directory. How can we do this? Is it feasible to have more than one SELinux context? Thanks, Bernard

...udit2allow to add necessary allow rules to an existing type. >> Any of the above could be a major PITA. >> > > Some links and commands which might be useful if you really need this done: > > http://fedoraproject.org/wiki/PackagingDrafts/SELinux#Creating_new_types > > # sesearch --help > # sesearch --allow -t samba_share_t > # sesearch --allow -t tftpdir_rw_t > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >

On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: > Any SElinux expert here - briefly: > > > # getenforce > Enforcing > > # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t > <no output> > > # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t > <no output> > > # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf > -rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsys...

...s it does not always guarantee that it will be accessible from a virtual machine. The VM might be running under svirt_tcg_t context which will need a svirt_tcg_t label on the socket in order to access it. There is, however, another label, svirt_socket_t, which is accessible from virt_domain: # sesearch -A -s svirt_t -c unix_stream_socket -p connectto ... allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... }; ... And virt_domain is a type attribute of both svirt_t and svirt_tcg_t: # seinfo -x -a virt_domain Type Attributes: 1 attribute virt_domain; sv...

This is my new Centos7 DNS server. In logwatch I am seeing: **Unmatched Entries** dispatch 0xb4378008: open_socket(0.0.0.0#5546) -> permission denied: continuing: 1 Time(s) dispatch 0xb4463008: open_socket(::#1935) -> permission denied: continuing: 1 Time(s) dispatch 0xb4464440: open_socket(::#8554) -> permission denied: continuing: 1 Time(s) dispatch 0xb4464440:

...(either samba_share_t or tftpdir_rw_t). BTW have you really tried to access files labelled with tftpdir_rw_t via samba or vise versa? There's already a number of rules in the default policy which allow ftp access to samba shares and smb/nmb access to files labelled with tftpdir_rw_t. Eg # sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp allow ftpd_t samba_share_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_n...

Daniel P. Berrangé <berrange@redhat.com> writes: > On Thu, Jul 02, 2020 at 01:21:15PM +0200, Milan Zamazal wrote: >> Hi, >> > >> I've met two situations with NVDIMM support in libvirt where I'm not >> sure all the parties (libvirt & I) do the things correctly. >> >> The first problem is with memory alignment and size changes. In

...n the socket in order to access it. I don't really know enough about SELinux or the sVirt policy to comment on this, but it's plausible so I'll push it soon, thanks. Rich. > There is, however, another label, svirt_socket_t, which is accessible from > virt_domain: > > # sesearch -A -s svirt_t -c unix_stream_socket -p connectto > ... > allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... }; > ... > > And virt_domain is a type attribute of both svirt_t and svirt_tcg_t: > > # seinfo -x -a virt_domain > Type Attributes: 1...

...was assigned to the selinux-policy component, where it was CLOSED NOTABUG, and then mistakenly marked CLOSED ERRATA. The solution is probably to specify the allowed ports. However, I must be reading something wrong, because on my system, it looks like named_t is allowed to use those ports. # sesearch -A -s named_t | grep port | grep bind ...indicates that named_t is allowed to bind to both unreserved ports and ephemeral ports. # semanage port -l | grep unreserved_port_t unreserved_port_t tcp 61001-65535, 1024-32767 unreserved_port_t udp 61001-65535, 1...

...avc: denied { unlink } for pid=28735 comm="krb5_child" name="krb5cc_1985100122_oxJnH7" dev="dm-0" ino=67978294 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0 The policy allows sssd_t to unlink user_tmp_type: sesearch -s sssd_t --allow: allow sssd_t user_tmp_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; Is the problem that the credential cache files in /tmp are being created with the wrong label, or is there some other problem I'm...

...nt_rw_t by issuing: semanage fcontext -a -t public_content_rw_t '/myrootfolder(/.*)?' restorecon -R -v /myrootfolder After that I can indeed create, write and update files anywhere in the share and its subfolders, I can also delete folders, but I cannot create or rename folders though! sesearch --allow -C | grep samba_export_all_rw: DT allow smbd_t noxattrfs : file { ioctl read getattr lock open } ; [ samba_export_all_rw ] DT allow smbd_t noxattrfs : dir { getattr search open } ; [ samba_export_all_rw ] DT allow smbd_t non_security_file_type : file { ioctl read write create getattr set...

Hi all, i want to know about the following things: 1.unloading XSM policy. -xl loadpolicy xenpolicy.24 to load the policy. For unloading is there any command is available.? 2. i want to know any analysis tool is available for XSM policy. 3. Apart from wiki.org/XSM any other tutorial is available for developing own XSM policy.? Thanks and regards, cooldharma06.

I need to run a "copy table to '/home/user/dir/copy.txt';" but I get permission denied. Filesystem dir modes are ok and I get no event logged in audit.log, but if I setenforce 0, I can do the copy. This explains auditd silence: # sesearch --audit |egrep postgres.*home dontaudit postgresql_t user_home_dir_t : dir { getattr search }; dontaudit postgresql_t home_root_t : dir { getattr search }; I changed the "dir" type to tmpfs_t and I could write with "\copy" but not with "copy". Anyway, what are...

...have verified it's not). > > What are these multiple listening sockets you've got going btw? Sounds > related. Post the part of the config for this if you're able. > It's rather caused by a SELinux policy which only allows icecast daemon to listen on TCP/8000 port: # sesearch --allow -s icecast_t -c tcp_socket [...] allow icecast_t port_type:tcp_socket name_bind; [ icecast_use_any_tcp_ports ]:True allow icecast_t port_type:tcp_socket name_connect; [ icecast_use_any_tcp_ports ]:True allow icecast_t port_type:tcp_socket { recv_msg send_msg }; [ icecast_use_any_tcp_ports ]...