search for: sock_fil

Hi, the instructions for "Time Synchronisation - SELinux Labeling and Policy" on https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy don't seem to work on CentOS 8. Using chrony I tried to adapt them (with very limited SELinux knowledge) like this: chcon -u system_u -t chronyd_exec_t /var/lib/samba/ntp_signd semanage fcontext -a -t chronyd_exec_t

...om yum. Restart fails, I get: type=AVC msg=audit(1430429813.721:12167): avc: denied { unlink } for pid=31624 comm="master" name="defer" dev="dm-0" ino=981632 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=sock_file I guess it needs to remove the /var/spool/postfix/defer socket file. audit2allow says this will fix it: allow postfix_master_t postfix_spool_maildrop_t:sock_file unlink; But how do I add this permission to the existing Postfix Selinux policy??? Why was it missing??? By the way, I also had AVC...

HI I have something in /var/log/audit/audit.log like: avc: denied { write } for pid=23739 comm="httpd" name="renderd.sock" dev=dm-0 ino=1183752 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file use audit2allow it generates something like this: allow httpd_t var_run_t:sock_file write; Is the rule too liberal? that means httpd_t can write any var_run_t 's sock_file? Or I miss-understand something? Should it only allow httpd_t to write this specific render.sock file? If so, what&...

Hi, I guess this is a bit OT but perhaps someone has encountered this issue before. On a CentOS 6.3 x86_64 box I have installed postfix and dspam from EPEL. Dspam is configured to listen on port 10026. After having configured dspam and postfix I start dspam and then postfix and I see the following AVC message in audit.log: type=AVC msg=audit(1350920492.936:400): avc: denied { name_bind }

...m_r:httpd_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=AVC msg=audit(07/31/2008 17:18:53.623:410) : avc: denied { write } for pid=11767 comm=httpd name=BackupPC.sock dev=md0 ino=39813253 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:var_log_t:s0 tclass=sock_file Is there an easy way to fix this, like setting the BackupPC.sock file universally writeable? I don't know SE Linux and right now my objective is to get BackupPC up and running. I've turned SE Linux off for now, but that's temporary until I get a more targeted fix. Thanks, Aleksey

...pool_t; type clamd_t; type amavis_var_lib_t; type sysctl_kernel_t; type var_t; type postfix_smtpd_t; type initrc_t; type proc_t; class unix_stream_socket connectto; class file { read getattr }; class sock_file write; class lnk_file { read create unlink getattr }; class udp_socket name_bind; class dir { read search }; } #============= amavis_t ============== allow amavis_t amavis_var_lib_t:lnk_file { read create unlink getattr }; allow amavis_t traceroute_port_t:udp_socket...

hi, i want set selinux to usw with ntpd but when i run (as described in wiki) semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd" i have that error " usage: semanage [-h] {import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit} ... semanage: error: argument subcommand: invalid choice:

..._t:s0 60 Apr 3 20:42 winbindd -rw-r--r--. 1 root root system_u:object_r:var_run_t:s0 5 Apr 3 20:42 winbindd.pid ``` Remote ssh login via winbind/pam-auth is not working anymore cause sshd wants to access /var/run/samba/winbindd/pipe `preventing /usr/sbin/sshd from getattr access on the sock_file /run/samba/winbindd/pipe` Could this be fixed in 4.12.1? Meanwhile we set SELinux permissive. Tobias -- collect at shift.agency

Hi, does anyone know if aide should have access to this socket? SELinux is preventing /usr/sbin/aide from write access on the sock_file /var/run/winbindd/pipe. Thanks Patrick (on CentOS6 if that matters)

...kefile ======================== module: checkmodule -M -m -o local.mod local.te semodule_package -o local.pp -m local.mod semodule -i local.pp ==================== local.te ======================== module local 1.0; require { type ntpd_t; type <sign_socket_context>; class sock_file write; class dir search; } allow chronyd_t <sign_socket_context>:dir search; allow chronyd_t <sign_socket_context>:sock_file write; ======================================================

...ve problems with Samba trying to create or write to it because it doesn't have the appropriate Samba context, Let chrony access the Samba labeled files with a SELinux module like: ====================== module local 1.0; require { type chronyd_t; type container_file_t; class sock_file write; class dir search; } allow chronyd_t container_file_t:dir search; allow chronyd_t container_file_t:sock_file write; ====================== Note: I use container_file_t because my Samba is containerized, but you should use samba_var_t since your Samba is running on the host /var/lib/...

....56. Error Connection reset by peer syslog(kern.debug): May 22 16:57:37 server kernel: audit(1179827857.498:149): avc: denied { write } for pid=10734 comm="smbd" name="log" dev=tmpfs ino=24665 scontext=system_u:system_r:smbd_t:s0 tcontext=root:object_r:device_t:s0 tclass=sock_file Please, help. Philipp.

...ignal the AF_UNIX address. But I see that general, expandable naming convention would give more. One could e.g. define an address space of "AF_EXEC", which would execute program on remote host every time new tunnel is initiated. I was thinking something like: "AF_UNIX::/home/user/dir/sock_file" for UNIX sockets (ssh -newflag 8080:AF_UNIX::/home/user/dir/sock_file hostname.com) "AF_INET::localhost:80" for tcp redirection, this should be default, if no AF_* is specified. "AF_EXEC::/home/user/server_executable -p param" for executable redirection. 6. Local port su...

...ib_t; type postfix_cleanup_t; type postfix_master_t; type inetd_t; type udev_t; type mysqld_safe_t; type postfix_pickup_t; type sshd_t; type crond_t; type getty_t; type postfix_qmgr_t; type ntpd_t; class sock_file { write unlink open }; class capability { sys_resource sys_ptrace }; class process setexec; class dir { write getattr read create search add_name }; class file { execute read create execute_no_trans write open append }; } #============= httpd_t ============== allow...

...nitrc_var_run_t; type var_t; type postfix_qmgr_t; type postfix_pipe_t; type crond_t; class process ptrace; class unix_stream_socket connectto; class tcp_socket { name_bind name_connect }; class file { rename execute read lock create ioctl execute_no_trans write getattr link unlink }; class sock_file { setattr create write getattr unlink }; class lnk_file { read getattr }; class dir { search setattr read create write getattr remove_name add_name }; } #============= clamd_t ============== allow clamd_t proc_t:file { read getattr }; allow clamd_t sysctl_kernel_t:dir search; allow clamd_t sysc...

...ystem_u:object_r:var_run_t:s0??? 5 Apr >> 3 20:42 winbindd.pid >> ``` >> >> Remote ssh login via winbind/pam-auth is not working anymore cause >> sshd wants to access /var/run/samba/winbindd/pipe >> >> `preventing /usr/sbin/sshd from getattr access on the sock_file >> /run/samba/winbindd/pipe` >> >> >> Could this be fixed in 4.12.1? Meanwhile we set SELinux permissive. >> >> Tobias >> > Sorry Tobias, but Samba does not supply the Selinux context, I suggest > you contact your Samba packages supplier, which is...

...kets as below: Oct 12 21:36:25 Playtime kernel: audit(1160714185.460:373): avc: denied { write } for pid=29479 comm="dovecot-auth" name="auth-worker.29479" dev=dm-0 ino=692358 scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=user_u:object_r:dovecot_var_run_t:s0 tclass=sock_file There is nothing in the auth log other than happy noises from Postfix about its mySQL accesses. I am unaware of any other logs that might shed some light. Troubleshooting: ============= --- I have been using standard FC5 compiled binaries sourced through YUM for all applications. To the be...

...ftpd_t samba_share_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; allow ftpd_t samba_share_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ; May be the needed functionality is already there and all this discussion is the equival...

...e execute execute_no_trans \ getattr ioctl link lock read rename setattr write unlink }; class dir { add_name getattr create read remove_name \ rename write search setattr rmdir }; class fifo_file { getattr write }; class filesystem getattr; class sock_file write; class unix_stream_socket { connectto getattr read write }; } #============= dovecot_t =============== allow dovecot_t home_root_t:file { create getattr link lock \ read rename setattr unlink write }; allow dovecot_t home_root_t:dir { add_name create remove_name write }; #========...

...a user run its web browser and ask for a user/password: Jan 18 12:12:16 brain kernel: audit(1106071936.271:0): avc: denied { getattr } for pid=17126 exe=/usr/bin/ntlm_auth path=/var/run/winbindd/pipe dev=hda7 ino=108681 scontext=root:system_r:squid_t tcontext=root:object_r:var_run_t tclass=sock_file this are the permissions on the /var/cache/samba: -rw------- 1 root root 8192 ene 13 00:02 account_policy.tdb -rw-r--r-- 1 root root 8192 ene 17 08:52 brlock.tdb -rw-r--r-- 1 root root 695 ene 18 12:13 browse.dat -rw-r--r-- 1 root root 16384 ene 14 08:00 connections.tdb -rw-r--r-- 1...