search for: tmp_t

...latest rhel6 policies amavas_t and clamscan_t have been merged into antivirus_t? Is you selinux-policy up 2 date? > #============= logwatch_mail_t ============== > allow logwatch_mail_t usr_t:lnk_file read; > > #============= postfix_master_t ============== > allow postfix_master_t tmp_t:dir read; > > #============= postfix_postdrop_t ============== > allow postfix_postdrop_t tmp_t:dir read; > > #============= postfix_showq_t ============== > allow postfix_showq_t tmp_t:dir read; Any reason postfix would be listing the contents of /tmp or /var/tmp? Did you put so...

...rite" subj=unconfined_u:system_r:postfix_master_t:s0 key=(null) type=AVC msg=audit(1417713298.610:60522): avc: denied { read } for pid=4294 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=393240 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir We are using a locally built Postfix (Postfix-2.8+ is required to support postscreen and CentOS only provides 2.6.6) rpm -qi postfix Name : postfix Relocations: (not relocatable) Version : 2.11.1 Vendor: (none) Release :...

...925b-b15e26da2a15 And the AVCs for those: node=jukebox.alleroedderne.adsl.dk type=AVC msg=audit(1231439791.493:10819): avc: denied { search } for pid=9073 comm="deliver" name="tmp" dev=sda3 ino=786433 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=jukebox.alleroedderne.adsl.dk type=SYSCALL msg=audit(1231439791.493:10819): arch=40000003 syscall=195 success=no exit=-2 a0=96e0aa0 a1=bfc21120 a2=4f5ff4 a3=bfc21120 items=0 ppid=9072 pid=9073 auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=12 sgid=12 fsgid=12 t...

...and it tried to init the database, I got a bunch of SELinux errors: Mar 3 13:24:22 dirty kernel: audit(1109874262.006:0): avc: denied { read } for pid=3138 exe=/usr/bin/postgres path=/tmp/sh-thd-1109856265 (deleted) dev=md2 ino=377572 scontext=root:system_r:postgresql_t tcontext=root:object_r:tmp_t tclass=file Mar 3 13:24:22 dirty kernel: audit(1109874262.195:0): avc: denied { read } for pid=3139 exe=/usr/bin/postgres path=/tmp/sh-thd-1109873603 (deleted) dev=md2 ino=377572 scontext=root:system_r:postgresql_t tcontext=root:object_r:tmp_t tclass=file Mar 3 13:24:22 dirty kernel: audit(110...

...t_user_t ============== allow chroot_user_t cyphesis_port_t:tcp_socket name_connect; allow chroot_user_t user_home_t:chr_file open; #============= syslogd_t ============== #!!!! The source type 'syslogd_t' can write to a 'dir' of the following types: # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t allow syslogd_t user_home_t:dir write; My questions are: Do SE booleans settings exist that permit chrooted ssh access to forward...

...xec_t:file execute; allow amavis_t sysfs_t:dir search; #============= clamscan_t ============== allow clamscan_t amavis_spool_t:dir read; #============= logwatch_mail_t ============== allow logwatch_mail_t usr_t:lnk_file read; #============= postfix_master_t ============== allow postfix_master_t tmp_t:dir read; #============= postfix_postdrop_t ============== allow postfix_postdrop_t tmp_t:dir read; #============= postfix_showq_t ============== allow postfix_showq_t tmp_t:dir read; #============= postfix_smtp_t ============== allow postfix_smtp_t postfix_spool_maildrop_t:file { read write get...

...or has it been backported? Both amavisd-new and clamav are provided via the epel repository. >> #============= logwatch_mail_t ============== >> allow logwatch_mail_t usr_t:lnk_file read; >> >> #============= postfix_master_t ============== >> allow postfix_master_t tmp_t:dir read; >> >> #============= postfix_postdrop_t ============== >> allow postfix_postdrop_t tmp_t:dir read; >> >> #============= postfix_showq_t ============== >> allow postfix_showq_t tmp_t:dir read; > Any reason postfix would be listing the contents of /tm...

...;unlink()" (remove) the temporary file. Previous errors occurred during attempts to "stat()" and "creat()" (sic) the temporary files. Basically, the "dovecot_deliver_t" context needs to be able to create, read, write and remove files in the /tmp directory ("tmp_t" context). Below, I am pasting my "local_postfix.te" SELinux policy file. It includes instructions for using it, and for figuring out how to do other SELinux policy adjustments on your own. This is my COMPLETE Postfix+Dovecot SELinux policy group. I also have policies for Spamassass...

...e" audispd: node=myhost.somewhere type=CWD msg=audit(1404144754.513:46369): cwd="/var/run/dovecot" audispd: node=myhost.somewhere type=PATH msg=audit(1404144754.513:46369): item=0 name="/var/tmp/" inode=2 dev=fb:01 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 audispd: node=myhost.somewhere type=PATH msg=audit(1404144754.513:46369): item=1 name="/var/tmp/sqlite_vxCdWSgpDUDm7VV" inode=98307 dev=fb:01 mode=0100600 ouid=8 ogid=12 rdev=00:00 obj=system_u:object_r:tmp_t:s0 audispd: node=myhost.somewhere type=EOE msg=audit(1404144754.513:46369):?...

...0 at 12:39:02PM +0200, Pino Toscano wrote: ... > There are various cases when, even of an enforcing system, labels are > not kept up-to-date: > > $ getenforce > Enforcing > $ touch /tmp/test > $ ls -lZ /tmp/test > -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 12:26 /tmp/test > $ mv /tmp/test ~/var/ > $ ls -lZ ~/var/test > -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 12:26 /home/ptoscano/var/test > $ restorecon -v ~/var/test > Relabeled /home/ptoscano/var/test from unconfined_u:object_r:user_tm...

On Thu, Sep 24, 2020 at 02:16:24PM +0200, Pino Toscano wrote: > On Thursday, 24 September 2020 13:53:57 CEST Richard W.M. Jones wrote: > > > Considering that /tmp is a general location for temporary files, it's > > > common that files may end with a tmp_t-alike label when moved back to > > > the destination place (e.g. after a rename()). That is not the only > > > situation like this that I saw in the past. > > > > > > In permissive mode, all these situation are logged in the audit log, > > > yes, but th...

...uot;TMPDIR" value="/var/tmp"/>\n </qemu:commandline>\n</domain>\n libguestfs: command: run: ls libguestfs: command: run: \ -a libguestfs: command: run: \ -l libguestfs: command: run: \ -Z /var/tmp/.guestfs-0 libguestfs: drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 . libguestfs: drwxrwxrwt. root root system_u:object_r:tmp_t:s0 .. libguestfs: drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 appliance.d libguestfs: -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 lock libguestfs: command: run: ls libguestfs: command: run: \ -a libgues...

On Thursday, 24 September 2020 13:53:57 CEST Richard W.M. Jones wrote: > > Considering that /tmp is a general location for temporary files, it's > > common that files may end with a tmp_t-alike label when moved back to > > the destination place (e.g. after a rename()). That is not the only > > situation like this that I saw in the past. > > > > In permissive mode, all these situation are logged in the audit log, > > yes, but they cause no blocks nor er...

On Mon, December 8, 2014 20:01, Daniel J Walsh wrote: > > rpm -q selinux-policy > > selinux-policy-3.7.19-260.el6 is the current policy in development. >> Thank you. >>>> #============= postfix_showq_t ============== >>>> allow postfix_showq_t tmp_t:dir read; >>> Any reason postfix would be listing the contents of /tmp or /var/tmp? >>> Did you put some content into these directories that have something to >>> do with mail? >> That question I need put to the Postfix mailing list. I see nothing in the >> sp...

...hings I see are these: audit2allow -l -a #============= amavis_t ============== allow amavis_t sysfs_t:dir read; allow amavis_t sysfs_t:file open; #============= clamscan_t ============== #!!!! The source type 'clamscan_t' can write to a 'dir' of the following types: # clamscan_tmp_t, clamd_var_lib_t, tmp_t, root_t allow clamscan_t amavis_spool_t:dir write; #============= postfix_smtp_t ============== allow postfix_smtp_t postfix_spool_maildrop_t:file open; #============= spamd_t ============== allow spamd_t etc_runtime_t:file append; Is there anything wrong with just crea...

...============ clamd_t ============== allow clamd_t sysctl_vm_t:dir search; #============= mailman_mail_t ============== #!!!! The source type 'mailman_mail_t' can write to a 'dir' of the following types: # mailman_log_t, mailman_data_t, mailman_lock_t, mailman_archive_t, var_lock_t, tmp_t, mailman_mail_tmp_t, var_log_t, root_t allow mailman_mail_t lib_t:dir write; #============= named_t ============== allow named_t sysctl_vm_t:dir search; #============= postfix_postdrop_t ============== allow postfix_postdrop_t fail2ban_tmp_t:file { read write }; #============= syslogd_t =======...

...remove the old cache file. The AVC follows: type=AVC msg=audit(1586670874.327:73041): avc: denied { unlink } for pid=28735 comm="krb5_child" name="krb5cc_1985100122_oxJnH7" dev="dm-0" ino=67978294 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0 The policy allows sssd_t to unlink user_tmp_type: sesearch -s sssd_t --allow: allow sssd_t user_tmp_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; Is the problem that the credential cache f...

...setsebool -P samba_export_all_rw on' is actually supposed to do? I'm trying to share /tmp via samba and am seeing the same results with samba_export_all_rw set to on or off. Maybe I'm misunderstanding what this is intended to do but from windows I cannot see files in /tmp with 'tmp_t' security context (as shown by ls -lZ /tmp). I do see those with 'smbd_tmp_t' which are files placed there from windows via samba. I assumed that this boolean, when on, would allow samba to see files in /tmp regardless of security context. I did try 'touch /.autorelabel'...

Hi Volker, It would be useful if your 3.3.9 build (currently in recent) included the /var/spool/samba directory - it just took me a while to figure out why Samba printing wasn't working on a new EL5 server ;-) Moray. "To err is human.? To purr, feline"

On Wed, Sep 23, 2020 at 05:57:50PM +0200, Pino Toscano wrote: > Do not attempt to relabel a guest in case its SELinux enforcing mode is > not "enforcing", as it is either pointless, or it may fail because of an > invalid policy configured. > --- > mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++- > 1 file changed, 25 insertions(+), 1 deletion(-) >