search for: setsebool

...are_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory. Allowing Access: Changing the "allow_mount_anyfile" boolean to true will allow this access: "setsebool -P allow_mount_anyfile=1." The following command will allow this access: setsebool -P allow_mount_anyfile=1 Additional Information: Source Context system_u:system_r:mount_t Target Context user_u:object_r:samba_share_t Target Objects ./Fedora-9-E...

Out of faint curiosity, how do we push change requests upstream to RHEL? I'm using puppet to automate systems, including the application of SELinux policy. While setsebool -P is non-damaging to repeat, it is time consuming -- taking about 45 seconds per execution to process the existing policy and re-commit to disk. I'd like a simple ability to put an unless in the execution of setsebool, to key off whether its necessary -- to reduce a SELinux puppet run from 25...

On Fri, Jan 29, 2016 at 11:41 AM, Michael H <michael at wemoto.com> wrote: > setsebool -P httpd_can_network_connect on > firewall-cmd --add-service=http --permanent > I have ran those two and still can't access. I have restarted httpd and iptables services after ran those lines. BTW, what those means? setsebool is part of SELinux? Or this is new kind of extra security laye...

...ing the whole darn thing. :) > > Incidentally one nice trick if you're dealing with potentially changing > multiple booleans and the policy compile time is to either skip -P and > understand it's not persistent so puppet needs to fix at boot, or passing > multiple booleans to setsebool at the same time so the compile only happens > once. Huh. Stacking setsebool has a lot of potential. I should add remedial man-page reading to my list of tasks. I'm of the camp that systems should come up in a ready state, regardless of the immediate availability of puppet. So, using puppe...

...rmission error e.g.: >> >> [Wed Dec 23 12:32:49.359323 2015] [negotiation:error] [pid 3208] >> (13)Permission denied: [client 192.168.160.20:38708] AH00686: cannot >> read directory for multi: /home/rgm/public_html/biby/ > > If SELinux is working, then do > > setsebool -P httpd_enable_homedirs on Did not help. in messages I see: Dec 23 14:54:04 medon dbus-daemon: dbus[444]: avc: received policyload notice (seqno=3) Dec 23 14:54:04 medon dbus[444]: avc: received policyload notice (seqno=3) Dec 23 14:54:04 medon dbus-daemon: dbus[444]: [system] Reloaded conf...

Hi, On an internal webserver (latest C6) I want smb-access to /var/www/html/ In april I did chcon -R -t public_content_rw_t /var/www/html/ setsebool -P allow_smbd_anon_write 1 setsebool -P allow_httpd_anon_write 1 echo "/var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0" >> /etc/selinux/targeted/contexts/files/file_contexts After the latest round of updates (including selinux-policy.noarch 0:3.7.19-260.el...

...=(null) type=PROCTITLE msg=audit(1482944350.289:339): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 I will say that after enabling selinux on this image per the instructions of the team doing the Centos7-arm builds, I got the following messages when I did things like 'setsebool -P httpd_enable_homedirs on': [ 2273.047017] SELinux: Class binder not defined in policy. [ 2273.052531] SELinux: the above unknown classes and permissions will be allowed So something may well not be right with my SELinux. Bob

I upgraded a development server last week, and it started spewing selinux errors to the log. I googled. What finally *seems* to have stopped it was a) setsebool -P httpd_setrlimit 1 b) yum downgrade selinux-policy\* This is on a 6.3 box. Has anyone else seen this behaviour? mark

...ess on the file .bash_logout. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow use to nfs home dirs Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs' boolean. You can read 'None' man page for more details. Do setsebool -P use_nfs_home_dirs 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that mkhomedir should be allowed setattr access on the .bash_logout file by default. Then you should report this as a bug. You can generate a local policy module to allow this access...

On Fri, Jan 29, 2016 at 11:48 AM, Michael H <michael at wemoto.com> wrote: > Selinux has been around for a while. > Yes, I know this but ... > > setsebool - set selinux boolean > What I am asking is if the command above is part of SELinux since I doesn't use before because it's a VM running on my PC so I not need such security levels. > > You should probably be using the firewall-cmd rather than iptables; > firewall-cmd --add-s...

...Now I experience the following problem. I can only access postgres using localhost as host. If I use the IP address (even 127.0.0.1). I found a similar problem when accessing the host using http. There I found out (after lots of hair pulling) that I have to set a value using setsebool. So I assume, that I have a similar problem here. I would be grateful, if somebody could point me in the right direction .. thanks robert

...n entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "named_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P named_disable_trans=1." The following command will allow this access: setsebool -P named_disable_trans=1 Additional Information Source Context user_u:system_r:named_t Target Context system_u:object_r:tmpfs_t Target Objects random [ chr...

I have Apache/2.4.6 installed in a minimal CentOS 7 VM. I am trying to access the default page when Apache is installed by accessing the CentOS IP as http://192.168.3.130 (is a host only interface) but I got "This webpage is not available: ERR_CONNECTION_TIMED_OUT" and I can't find why. I have stopped iptables and then checked: # service iptables status Redirecting to /bin/systemctl

...dnf installpolicycoreutils-gui ; # chcon -t samba_share_t /exports ; # /usr/sbin/semanage fcontext -a -t samba_share_t "/exports(/.*)?" ; # /sbin/restorecon -R -v /exports ; # ausearch -c 'nmbd' --raw | audit2allow -M my-nmbd ; # semodule -X 300 -i my-nmbd.pp ; # setsebool -P samba_enable_home_dirs 1 ; # setsebool -P samba_export_all_rw 1 ; # ausearch -c 'winbindd' --raw | audit2allow -M my-winbindd ; # semodule -X 300 -i my-winbindd.pp ; # setsebool -P samba_domain_controller on ; # ausearch -c 'useradd' --raw | audit2allow -M my-usera...

...dnf installpolicycoreutils-gui ; # chcon -t samba_share_t /exports ; # /usr/sbin/semanage fcontext -a -t samba_share_t "/exports(/.*)?" ; # /sbin/restorecon -R -v /exports ; # ausearch -c 'nmbd' --raw | audit2allow -M my-nmbd ; # semodule -X 300 -i my-nmbd.pp ; # setsebool -P samba_enable_home_dirs 1 ; # setsebool -P samba_export_all_rw 1 ; # ausearch -c 'winbindd' --raw | audit2allow -M my-winbindd ; # semodule -X 300 -i my-winbindd.pp ; # setsebool -P samba_domain_controller on ; # ausearch -c 'useradd' --raw | audit2allow -M my-usera...

...ail and the configtest file, Turning off the firewall resulted in same issue. > > I have this in my squirrelmail notes for Centos 6, maybe this is a similar issue for you on Centos 8: > > After configuring squirrelmail, do this to make selinux accept squirrelmail connections: > > setsebool -P httpd_can_network_connect 1 > > (The -P makes it permanent across reboots. This command takes quite a while to run, so don't worry about the waiting) > > Then this to allow apache to connect to sendmail: > > setsebool -P httpd_can_sendmail 1 > > Also takes a long tim...

On 29/01/16 16:45, reynierpm at gmail.com wrote: > On Fri, Jan 29, 2016 at 11:41 AM, Michael H <michael at wemoto.com> wrote: > >> setsebool -P httpd_can_network_connect on >> firewall-cmd --add-service=http --permanent >> > > I have ran those two and still can't access. I have restarted httpd and > iptables services after ran those lines. BTW, what those means? setsebool > is part of SELinux? Or this is new...

On 12 Apr 2016 6:10 p.m., "John Jasen" <jjasen at realityfailure.org> wrote: > > Out of faint curiosity, how do we push change requests upstream to RHEL? > > I'm using puppet to automate systems, including the application of > SELinux policy. While setsebool -P is non-damaging to repeat, it is time > consuming -- taking about 45 seconds per execution to process the > existing policy and re-commit to disk. > > I'd like a simple ability to put an unless in the execution of > setsebool, to key off whether its necessary -- to reduce a SE...

...hing. :) >> >> Incidentally one nice trick if you're dealing with potentially changing >> multiple booleans and the policy compile time is to either skip -P and >> understand it's not persistent so puppet needs to fix at boot, or passing >> multiple booleans to setsebool at the same time so the compile only happens >> once. > > Huh. Stacking setsebool has a lot of potential. I should add remedial > man-page reading to my list of tasks. > > I'm of the camp that systems should come up in a ready state, regardless > of the immediate availab...

...="dm-0" ino=533228 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir Was caused by: One of the following booleans was set incorrectly. Description: Allow httpd to read user content Allow access by executing: # setsebool -P httpd_read_user_content 1 Description: Allow httpd to unified Allow access by executing: # setsebool -P httpd_unified 1 # setsebool -P httpd_read_user_content 1 ... and setting one of them fixed the problem. I don't see a bug filed for this. Can anyone else confirm that h...