search for: tcp_socket

On 09/09/2018 07:19 AM, Daniel Walsh wrote: > sesearch -A -s httpd_t -t system_conf_t -p read > > If you feel that these files should not be part of the base_ro_files > then we should open that for discussion. I think the question was how users would know that the policy allowed access, as he was printing rules affecting httpd_t's file read access, and looking for

...; > What are these multiple listening sockets you've got going btw? Sounds > related. Post the part of the config for this if you're able. > It's rather caused by a SELinux policy which only allows icecast daemon to listen on TCP/8000 port: # sesearch --allow -s icecast_t -c tcp_socket [...] allow icecast_t port_type:tcp_socket name_bind; [ icecast_use_any_tcp_ports ]:True allow icecast_t port_type:tcp_socket name_connect; [ icecast_use_any_tcp_ports ]:True allow icecast_t port_type:tcp_socket { recv_msg send_msg }; [ icecast_use_any_tcp_ports ]:True allow icecast_t soundd_port_t...

On 10/16/23 10:37, Michael C Cambria wrote: > > Hi, > > I'm using icecast via Fedora 37 package and systemd service to start. > > I've added multiple <listen-socket> but get: > > "EROR connection/connection_setup_sockets Could not create listener > socket on port xxx" *snip* That error sounds like it could either be an issue relating to which

...rrect username and password selected in localconfig? And there is an AVC denial as well: type=AVC msg=audit(1225832104.970:405): avc: denied { connect } for pid=30831 comm="index.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket Here is the module I added: module local 1.0; require { type httpd_sys_script_t; class tcp_socket setopt; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t self:tcp_socket setopt; [root at hwd-ddc-app-prod01 selinux]# httpd_sys_script_t =============...

I reread my sql.conf.ext files and realized they were actually connecting to localhost. So I did some googling, and found how to connect to the socket: connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=Postfix_Database_Password And all fixed. No more failures. Plus probably securer. On 04/07/2017 10:57 AM, Robert Moskowitz wrote: > The strange thing is that

...eaking ? here (using postgresql, obviously) so that dovecot runs properly with SELinux enabled, HTH, Laurent. module mydovecot 1.0; require { type dovecot_auth_t; type postgresql_port_t; type dovecot_t; type var_t; type postfix_virtual_tmp_t; class tcp_socket name_connect; class file { rename read lock create write getattr link unlink open append }; class dir { read write create add_name remove_name }; } #============= dovecot_auth_t ============== #!!!! This avc is allowed in the current policy allow dovecot_auth_t postgresql_port_t:t...

...spam and then postfix and I see the following AVC message in audit.log: type=AVC msg=audit(1350920492.936:400): avc: denied { name_bind } for pid=19971 comm="master" src=10026 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_master_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1350920492.936:400): arch=c000003e syscall=49 success=no exit=-13 a0=5b a1=7f015fa63b30 a2=10 a3=7fff6b2bf89c items=0 ppid=1 pid=19971 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="master" exe="/usr/libexec/postfix/...

...ter the 5.3 upgrade. It appears as though my mail system (postfix) is constantly trying to access the rpm database? Here's the audit messages (I tend to look at my selinux messages using audit2allow < /var/log/audit.log as I find it easier to read quickly): allow postfix_postdrop_t rpm_t:tcp_socket { read write }; allow postfix_postdrop_t rpm_var_lib_t:file { read write }; allow postfix_postdrop_t user_home_t:file { getattr append }; allow postfix_postdrop_t var_lib_t:file write; allow system_mail_t rpm_t:tcp_socket { read write }; allow system_mail_t rpm_var_lib_t:file { read write }; allow...

...eing these messages turning up in syslog: Mar 12 22:11:31 db1 kernel: [6058125.959624] type=1400 audit(1457820691.824:3029129): avc: denied { name_connect } for pid=801 comm="haproxy" dest=7778 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:interwise_port_t:s0 tclass=tcp_socket It looks like SELinux is denying haproxy the ability to connect to the database. I haven't seen any real problems on the site that uses the database. But I was just wondering if this message looks familiar to anyone. Or if it looks like something I should try to correct. I tried grepping thro...

...perly with SELinux enabled, > > HTH, > Laurent. > > module mydovecot 1.0; > > require { > type dovecot_auth_t; > type postgresql_port_t; > type dovecot_t; > type var_t; > type postfix_virtual_tmp_t; > class tcp_socket name_connect; > class file { rename read lock create write getattr link unlink > open append }; > class dir { read write create add_name remove_name }; > } > > #============= dovecot_auth_t ============== > > #!!!! This avc is allowed in the current policy...

I keep seeing this in my audit.logs: type=AVC msg=audit(1496336600.230:6): avc: denied { name_connect } for pid=2411 comm="dbus-daemon" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket Was caused by: The boolean allow_ypbind was set incorrectly. Description: Allow system to run with NIS Allow access by executing: # setsebool -P allow_ypbind 1 The weirdness is that when I check allow_ypbind, it?s already on: # getsebool allow_ypbind allow_ypbind --> on # Does anyo...

Hello, Does anyone have a sample SELinux policy for dkim-milter? I'm using the configuration from this page: http://www.howtoforge.com/set-up-dkim-for-multiple-domains-on-postfix-with-dkim-milter-2.8.x-centos-5.3 Along with the latest RPM from the link on that page. Regards, Ben -- Ben McGinnes http://www.adversary.org/ Twitter: benmcginnes Systems Administrator, Writer, ICT

I''ve configured puppet to use storedconfigs and puppetDB, If I start the puppet master using the init script puppetmaster I get a permission denied error when a node connects: Master: [root@puppet ~]# service puppetmaster start Starting puppetmaster: [ OK ] Node: [root@puppet-slave ~]# puppet agent --test err: Could not retrieve catalog from remote

...gt;> >> Mar 12 22:11:31 db1 kernel: [6058125.959624] type=1400 >> audit(1457820691.824:3029129): avc: denied { name_connect } for pid=801 >> comm="haproxy" dest=7778 scontext=system_u:system_r:haproxy_t:s0 >> tcontext=system_u:object_r:interwise_port_t:s0 tclass=tcp_socket >> >> It looks like SELinux is denying haproxy the ability to connect to the >> database. I haven't seen any real problems on the site that uses the >> database. But I was just wondering if this message looks familiar to >> anyone. Or if it looks like something I s...

...ction. SELINUXTYPE=targeted But during the boot i see selinux warnings and some software wan't start correctly: audit(1173699978.909:2): avc: denied { name_bind } for pid=2407 comm="piranha_gui" src=3636 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:port_t tclass=tcp_socket audit(1173699978.943:3): avc: denied { append } for pid=2407 comm="piranha_gui" name="piranha-gui" dev=dm-0 ino=2338608 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_log_t tclass=file audit(1173699979.918:4): avc: denied { write } for pid=2408 comm=&q...

...unset allow_ypbind, and then reset it to 1, audit2why then says type=AVC msg=audit(1496768649.872:1338): avc: denied { name_connect } for pid=2413 comm="dbus-daemon" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. --- Mike VanHorn Senior Computer Systems Administrato...

...wn succeeded Jul 11 14:30:40 node1 smb: smbd startup succeeded Jul 11 14:30:40 node1 smb: nmbd startup succeeded Jul 11 14:30:50 node1 kernel: audit(1121056250.376:0): avc: denied { connect } for pid=4637 exe=/usr/sbin/httpd scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_t tclass=tcp_socket Any help or suggestions would be greatly appreciated. Please email me suggestions or solutions: asender@ampwest.com.au Many Thanks

...unnel https requests unless SELinux is set to permissive (or turned off altogether). This problem does not evidence itself unless the account is chrooted. The output from audit2allow is this: sudo audit2allow -l -a #============= chroot_user_t ============== allow chroot_user_t cyphesis_port_t:tcp_socket name_connect; allow chroot_user_t user_home_t:chr_file open; #============= syslogd_t ============== #!!!! The source type 'syslogd_t' can write to a 'dir' of the following types: # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, tmp...

...hd_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1326381080.369:611): avc: denied { getattr } for pid=3487 comm="xauth" path="socket:[21700]" dev=sockfs ino=21700 scontext=system_u:system_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=tcp_socket The output from audit2allow is here : $ grep AVC /var/log/audit/audit.log | audit2allow libsepol.context_from_record: invalid security context: "system_u:system_r:xauth_t:s0-s0:c0.c1023" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could...

I have been getting the following on my new mailserver: Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry They go away when I setenforce 0. So I googled dovecot mysql selinux and the only worthwhile hit was: