Displaying 20 results from an estimated 29 matches for "sock_file".
2020 Nov 03
3
ntp/chrony on AD DC and SELinux
Hi,
the instructions for "Time Synchronisation - SELinux Labeling and
Policy" on
https://wiki.samba.org/index.php/Time_Synchronisation_-_SELinux_Labeling_and_Policy
don't seem to work on CentOS 8. Using chrony I tried to adapt them (with
very limited SELinux knowledge) like this:
chcon -u system_u -t chronyd_exec_t /var/lib/samba/ntp_signd
semanage fcontext -a -t chronyd_exec_t
2015 Apr 26
2
Broken Selinux Postfix Policy?
...om yum. Restart fails, I get:
type=AVC msg=audit(1430429813.721:12167): avc: denied { unlink } for
pid=31624 comm="master" name="defer" dev="dm-0" ino=981632
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=sock_file
I guess it needs to remove the /var/spool/postfix/defer socket file.
audit2allow says this will fix it:
allow postfix_master_t postfix_spool_maildrop_t:sock_file unlink;
But how do I add this permission to the existing Postfix Selinux policy???
Why was it missing???
By the way, I also had AVCs...
2012 Apr 24
0
About audit2allow generated rules
HI
I have something in /var/log/audit/audit.log like:
avc: denied { write } for pid=23739 comm="httpd" name="renderd.sock"
dev=dm-0 ino=1183752 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
use audit2allow it generates something like this:
allow httpd_t var_run_t:sock_file write;
Is the rule too liberal? that means httpd_t can write any var_run_t 's
sock_file?
Or I miss-understand something?
Should it only allow httpd_t to write this specific render.sock file?
If so, what...
2012 Oct 22
1
SELinux AVC problem postfix <-> dspam
Hi,
I guess this is a bit OT but perhaps someone has encountered this issue
before. On a CentOS 6.3 x86_64 box I have installed postfix and dspam
from EPEL. Dspam is configured to listen on port 10026. After having
configured dspam and postfix I start dspam and then postfix and I see
the following AVC message in audit.log:
type=AVC msg=audit(1350920492.936:400): avc: denied { name_bind }
2008 Aug 01
2
BackupPC 3.1.0 on CentOS 5.2 triggers SE Linux denial
...m_r:httpd_t:s0
tcontext=user_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(07/31/2008 17:18:53.623:410) : avc: denied {
write } for pid=11767 comm=httpd name=BackupPC.sock dev=md0
ino=39813253 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:var_log_t:s0 tclass=sock_file
Is there an easy way to fix this, like setting the BackupPC.sock file
universally writeable? I don't know SE Linux and right now my
objective is to get BackupPC up and running.
I've turned SE Linux off for now, but that's temporary until I get a
more targeted fix.
Thanks,
Aleksey
2008 Aug 26
3
Amavisd Howto
...pool_t;
type clamd_t;
type amavis_var_lib_t;
type sysctl_kernel_t;
type var_t;
type postfix_smtpd_t;
type initrc_t;
type proc_t;
class unix_stream_socket connectto;
class file { read getattr };
class sock_file write;
class lnk_file { read create unlink getattr };
class udp_socket name_bind;
class dir { read search };
}
#============= amavis_t ==============
allow amavis_t amavis_var_lib_t:lnk_file { read create unlink getattr };
allow amavis_t traceroute_port_t:udp_socket n...
2019 Apr 16
4
Time Synchronisation - SELinux Labeling and Policy
hi, i want set selinux to usw with ntpd
but when i run (as described in wiki)
semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"
i have that error
"
usage: semanage [-h]
{import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit}
...
semanage: error: argument subcommand: invalid choice:
2020 Apr 03
2
Samba 4.12 SELinux context /var/run
..._t:s0 60 Apr 3
20:42 winbindd
-rw-r--r--. 1 root root system_u:object_r:var_run_t:s0 5 Apr 3
20:42 winbindd.pid
```
Remote ssh login via winbind/pam-auth is not working anymore cause sshd
wants to access /var/run/samba/winbindd/pipe
`preventing /usr/sbin/sshd from getattr access on the sock_file
/run/samba/winbindd/pipe`
Could this be fixed in 4.12.1? Meanwhile we set SELinux permissive.
Tobias
--
collect at shift.agency
2015 Jan 13
1
SELinux-alert: aide wants to write to /var/run/winbindd/pipe
Hi,
does anyone know if aide should have access to this socket?
SELinux is preventing /usr/sbin/aide from write access on the sock_file /var/run/winbindd/pipe.
Thanks
Patrick
(on CentOS6 if that matters)
2019 Apr 16
0
Time Synchronisation - SELinux Labeling and Policy
...kefile ========================
module:
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp
==================== local.te ========================
module local 1.0;
require {
type ntpd_t;
type <sign_socket_context>;
class sock_file write;
class dir search;
}
allow chronyd_t <sign_socket_context>:dir search;
allow chronyd_t <sign_socket_context>:sock_file write;
======================================================
2020 Nov 03
0
ntp/chrony on AD DC and SELinux
...ve problems
with Samba trying to create or write to it because it doesn't have the
appropriate Samba context, Let chrony access the Samba labeled files
with a SELinux module like:
======================
module local 1.0;
require {
type chronyd_t;
type container_file_t;
class sock_file write;
class dir search;
}
allow chronyd_t container_file_t:dir search;
allow chronyd_t container_file_t:sock_file write;
======================
Note: I use container_file_t because my Samba is containerized, but you
should use samba_var_t since your Samba is running on the host
/var/lib/s...
2007 May 25
1
smbd write failure, kernel
....56. Error Connection reset
by peer
syslog(kern.debug):
May 22 16:57:37 server kernel: audit(1179827857.498:149): avc: denied
{ write } for pid=10734 comm="smbd" name="log" dev=tmpfs ino=24665
scontext=system_u:system_r:smbd_t:s0 tcontext=root:object_r:device_t:s0
tclass=sock_file
Please, help.
Philipp.
2007 Feb 05
1
tunneling support for PF_UNIX sockets
...ignal the AF_UNIX address. But I see
that general, expandable naming convention would give more. One could
e.g. define an address space of "AF_EXEC", which would execute program
on remote host every time new tunnel is initiated.
I was thinking something like:
"AF_UNIX::/home/user/dir/sock_file" for UNIX sockets (ssh -newflag
8080:AF_UNIX::/home/user/dir/sock_file hostname.com)
"AF_INET::localhost:80" for tcp redirection, this should be default, if
no AF_* is specified.
"AF_EXEC::/home/user/server_executable -p param" for executable
redirection.
6. Local port sup...
2012 Jun 15
1
Puppet + Passenger SELinux issues
...ib_t;
type postfix_cleanup_t;
type postfix_master_t;
type inetd_t;
type udev_t;
type mysqld_safe_t;
type postfix_pickup_t;
type sshd_t;
type crond_t;
type getty_t;
type postfix_qmgr_t;
type ntpd_t;
class sock_file { write unlink open };
class capability { sys_resource sys_ptrace };
class process setexec;
class dir { write getattr read create search add_name };
class file { execute read create execute_no_trans write open append
};
}
#============= httpd_t ==============
allow...
2009 Oct 04
2
deliver stopped working
...nitrc_var_run_t;
type var_t;
type postfix_qmgr_t;
type postfix_pipe_t;
type crond_t;
class process ptrace;
class unix_stream_socket connectto;
class tcp_socket { name_bind name_connect };
class file { rename execute read lock create ioctl execute_no_trans write getattr link
unlink };
class sock_file { setattr create write getattr unlink };
class lnk_file { read getattr };
class dir { search setattr read create write getattr remove_name add_name };
}
#============= clamd_t ==============
allow clamd_t proc_t:file { read getattr };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysct...
2020 Apr 04
1
Samba 4.12 SELinux context /var/run
...ystem_u:object_r:var_run_t:s0??? 5 Apr
>> 3 20:42 winbindd.pid
>> ```
>>
>> Remote ssh login via winbind/pam-auth is not working anymore cause
>> sshd wants to access /var/run/samba/winbindd/pipe
>>
>> `preventing /usr/sbin/sshd from getattr access on the sock_file
>> /run/samba/winbindd/pipe`
>>
>>
>> Could this be fixed in 4.12.1? Meanwhile we set SELinux permissive.
>>
>> Tobias
>>
> Sorry Tobias, but Samba does not supply the Selinux context, I suggest
> you contact your Samba packages supplier, which is u...
2006 Oct 13
2
child 29480 (auth) returned error 89, FC5, Postfix, MySql, mbox....arghhhh
...kets as below:
Oct 12 21:36:25 Playtime kernel: audit(1160714185.460:373):
avc: denied { write } for pid=29479 comm="dovecot-auth"
name="auth-worker.29479" dev=dm-0 ino=692358
scontext=user_u:system_r:dovecot_auth_t:s0
tcontext=user_u:object_r:dovecot_var_run_t:s0 tclass=sock_file
There is nothing in the auth log other than happy noises from Postfix
about its mySQL accesses. I am unaware of any other logs that might
shed some light.
Troubleshooting:
=============
--- I have been using standard FC5 compiled binaries sourced through
YUM for all applications. To the bes...
2016 Jul 06
2
How to have more than on SELinux context on a directory
...ftpd_t samba_share_t : dir { ioctl read write create getattr
setattr lock unlink link rename add_name remove_name reparent search
rmdir open } ;
allow ftpd_t samba_share_t : lnk_file { ioctl read write create
getattr setattr lock append unlink link rename } ;
allow ftpd_t samba_share_t : sock_file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow ftpd_t samba_share_t : fifo_file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
May be the needed functionality is already there and all this discussion
is the equivale...
2009 Apr 15
2
SELinux and "i_stream_read() failed: Permission denied"
...e execute execute_no_trans \
getattr ioctl link lock read rename setattr write unlink };
class dir { add_name getattr create read remove_name \
rename write search setattr rmdir };
class fifo_file { getattr write };
class filesystem getattr;
class sock_file write;
class unix_stream_socket { connectto getattr read write };
}
#============= dovecot_t ===============
allow dovecot_t home_root_t:file { create getattr link lock \
read rename setattr unlink write };
allow dovecot_t home_root_t:dir { add_name create remove_name write };
#=========...
2005 Jan 18
2
auth samba+squid+ntlm
...a user run its web browser and ask for a
user/password:
Jan 18 12:12:16 brain kernel: audit(1106071936.271:0): avc: denied
{ getattr } for pid=17126 exe=/usr/bin/ntlm_auth path=/var/run/winbindd/pipe
dev=hda7 ino=108681 scontext=root:system_r:squid_t
tcontext=root:object_r:var_run_t tclass=sock_file
this are the permissions on the /var/cache/samba:
-rw------- 1 root root 8192 ene 13 00:02 account_policy.tdb
-rw-r--r-- 1 root root 8192 ene 17 08:52 brlock.tdb
-rw-r--r-- 1 root root 695 ene 18 12:13 browse.dat
-rw-r--r-- 1 root root 16384 ene 14 08:00 connections.tdb
-rw-r--r-- 1 r...