search for: sysfs_t

...there is but. . . >> > Anyone see any problem with generating a custom policy consisting of the > following? > > grep avc /var/log/audit/audit.log | audit2allow > > > #============= amavis_t ============== > allow amavis_t shell_exec_t:file execute; > allow amavis_t sysfs_t:dir search; > > #============= clamscan_t ============== > allow clamscan_t amavis_spool_t:dir read; In the latest rhel6 policies amavas_t and clamscan_t have been merged into antivirus_t? Is you selinux-policy up 2 date? > #============= logwatch_mail_t ============== > allow logwa...

...9;f2b/server' --raw | sudo audit2allow -M my-f2bserver > $ sudo semodule -i my-f2bserver.pp > > I'm not sure with SELinux. https://bugzilla.redhat.com/show_bug.cgi?id=1777562 This bug was posted earlier. Sadly, it was closed WONTFIX, but the policy you need is: allow fail2ban_t sysfs_t:file { getattr open read }; allow fail2ban_t sysctl_net_t:dir { search }; allow fail2ban_t sysctl_net_t:file { getattr open read }; Honestly, if this really affects all users of fail2ban, I?ll probably push back on the ticket to get it updated. I?ve successfully had the policy updated to handle i...

...amav I seem to be detecting more avc's. It may be that it is because I am looking for them more frequently but it seems to me that something has happened external to my control. The most recent things I see are these: audit2allow -l -a #============= amavis_t ============== allow amavis_t sysfs_t:dir read; allow amavis_t sysfs_t:file open; #============= clamscan_t ============== #!!!! The source type 'clamscan_t' can write to a 'dir' of the following types: # clamscan_tmp_t, clamd_var_lib_t, tmp_t, root_t allow clamscan_t amavis_spool_t:dir write; #============= postfix_...

...garding selinux and fail2ban. After several iterations with fail2ban restart, ausearch and audit2allow like this: ausearch -c 'f2b/server' --raw | audit2allow -M f2b-addon I came up with a SELinux module like that: module f2b-addon 1.0; require { type sysctl_net_t; type sysfs_t; type fail2ban_t; class file { getattr open read }; class dir search; } #============= fail2ban_t ============== #!!!! This avc is allowed in the current policy allow fail2ban_t sysctl_net_t:dir search; #!!!! This avc is allowed in the current policy allow fail2ban_t sysc...

On 13/04/20 1:30 pm, Orion Poplawski wrote: > On 4/9/20 6:31 AM, Andreas Haumer wrote: > ... >> I'm neither a fail2ban nor a SELinux expert, but it seems the >> standard fail2ban SELinux policy as provided by CentOS 7 is not >> sufficient anymore and the recent updates did not correctly >> update the required SELinux policies. >> >> I could report this

I am seeing these avc messages on a newly commissioned and up-to-date CentOs-6 virtual guest: ---- time->Thu Dec 4 12:14:58 2014 type=SYSCALL msg=audit(1417713298.610:60522): arch=c000003e syscall=2 success=no exit=-13 a0=7fd70e6de1e6 a1=0 a2=1b6 a3=0 items=0 ppid=2698 pid=4294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2784 comm="trivial-rewrite"

> -----Original Message----- > From: Richard W.M. Jones [mailto:rjones@redhat.com] > Sent: Tuesday, March 6, 2018 11:49 AM > To: Зиновик Игорь Анатольевич <ZinovikIA@nspk.ru> > Cc: libguestfs@redhat.com > Subject: Re: [Libguestfs] virt-v2v 1.38 fails to convert .vmx VM: setfiles ... > Multiple same specifications for /.*. > > On Tue, Mar 06, 2018 at 08:40:51AM

...9;openvpn' started [...] BUT: SELinux complains about fail2ban: type=AVC msg=audit(1586413496.76:53507): avc: denied { read } for pid=1324 comm="f2b/f.apache" name="disable" dev="sysfs" ino=1481 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 So it seems somehow fail2ban does not add the required ip sets correctly. From what I see in firewalld logfile it seems these problems started after the last updates on April 2nd. On this day I did a "yum update" which executed without errors and installed:...

...ded to handle this? I could not find one if there is but. . . > Anyone see any problem with generating a custom policy consisting of the following? grep avc /var/log/audit/audit.log | audit2allow #============= amavis_t ============== allow amavis_t shell_exec_t:file execute; allow amavis_t sysfs_t:dir search; #============= clamscan_t ============== allow clamscan_t amavis_spool_t:dir read; #============= logwatch_mail_t ============== allow logwatch_mail_t usr_t:lnk_file read; #============= postfix_master_t ============== allow postfix_master_t tmp_t:dir read; #============= postfix_po...

...Anyone see any problem with generating a custom policy consisting of the >> following? >> >> grep avc /var/log/audit/audit.log | audit2allow >> >> >> #============= amavis_t ============== >> allow amavis_t shell_exec_t:file execute; >> allow amavis_t sysfs_t:dir search; >> >> #============= clamscan_t ============== >> allow clamscan_t amavis_spool_t:dir read; > In the latest rhel6 policies amavas_t and clamscan_t have been merged > into antivirus_t? Is you selinux-policy up 2 date? Yes, everything is up-to-date as of the time...

...ailman mailing lists. It also has a slave named service. while tracking down a separate problem I discovered these avc anomalies and ran audit2allow to see what was required to eliminate them. All the software is either from CentOS or EPEL. #============= amavis_t ============== allow amavis_t sysfs_t:dir open; #============= clamd_t ============== allow clamd_t sysctl_vm_t:dir search; #============= mailman_mail_t ============== #!!!! The source type 'mailman_mail_t' can write to a 'dir' of the following types: # mailman_log_t, mailman_data_t, mailman_lock_t, mailman_archive_t...

...-M my-f2bserver > > $ sudo semodule -i my-f2bserver.pp > > > > I'm not sure with SELinux. > > https://bugzilla.redhat.com/show_bug.cgi?id=1777562 > This bug was posted earlier. Sadly, it was closed WONTFIX, but the policy > you need is: > > allow fail2ban_t sysfs_t:file { getattr open read }; > allow fail2ban_t sysctl_net_t:dir { search }; > allow fail2ban_t sysctl_net_t:file { getattr open read }; > Honestly, if this really affects all users of fail2ban, I?ll probably push > back on the ticket to get it updated. I?ve successfully had the policy &...

...ss for now by executing: # grep amavisd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp [root at inet18 ~ (master #)]# grep amavisd /var/log/audit/audit.log | audit2allow #============= amavis_t ============== allow amavis_t shell_exec_t:file { read open }; allow amavis_t sysfs_t:file read; -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 C...

https://bugzilla.samba.org/show_bug.cgi?id=6546 Summary: lremovexattr problems Product: rsync Version: 3.0.6 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P3 Component: core AssignedTo: wayned@samba.org ReportedBy: Dave@Yost.com QAContact:

Hi, Some time ago I had SELinux problems with Fail2ban. One of the users on this list suggested that it might be due to the fact that I'm using a bone-headed iptables script instead of FirewallD. I've spent the past few weeks getting up to date with doing things in a more orthodox manner. So currently my internet-facing CentOS server has a nicely configured NetworkManager, and