search for: unconfin

At work I'm used to tools like eTrust Access Control (aka SEOS). eTrust takes away the ability to manage the eTrust config from root and puts it in the hands of "security admin". So there's a good separation of duties; security admin control the security ruleset, but are limited by the OS permissions (so even if they granted themselves permission to modify /etc/shadow, the

https://bugs.freedesktop.org/show_bug.cgi?id=81072 Priority: medium Bug ID: 81072 Assignee: nouveau at lists.freedesktop.org Summary: GPU lockup after "read fault at 0x0000039000 [PAGE_NOT_PRESENT]" QA Contact: xorg-team at lists.x.org Severity: normal Classification: Unclassified OS:

...e without any shared memory, the interface might not be operational Mar 28 18:03:04 dpdk-OptiPlex-5040 kernel: [ 4023.292264] audit: type=1400 audit(1553776384.755:31): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="libvirt-41b4eef0-b820-41da-9034-9de22e1379e0" pid=8689 comm="apparmor_parser" Mar 28 18:03:04 dpdk-OptiPlex-5040 kernel: [ 4023.292503] audit: type=1400 audit(1553776384.755:32): apparmor="STATUS" operation="profile_replace" info="same as c...

...martin-RB042AV-ABA-a1410y dbus-daemon[651]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.11' (uid=0 pid=678 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined") Jan 28 10:11:23 martin-RB042AV-ABA-a1410y systemd[1]: Starting Network Manager Script Dispatcher Service... Jan 28 10:11:23 martin-RB042AV-ABA-a1410y dbus-daemon[651]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher' Jan 28 10:11:23 martin-RB042AV-ABA-a141...

Hi, Wiki username is: GaryTierney I'd like to add some additional content to the HowTos/SELinux wiki page. More specifically: additional tips on troubleshooting SELinux problems using setools-console and audit utils, using Role-Based Access Control instead of the default unconfined user configuration, and some pointers on authoring local policies (some content specifically for the new SELinux userspace 2.5 release on EL 7.3). It'd also be good to be able to continously update the HowTos/SELinux page, as I have a bunch of docs that I'm working on locally in Ascii...

Hola: En el trabajo tengo que montar acceso a investigadores a uno de los servidores de cálculo de la unidad, y he conseguido ya montar un R dentro de una jaula ssh con JailKit (chroot). http://olivier.sessink.nl/jailkit/ https://launchpad.net/jailkit Ahora bien, quería probar que los usuarios pudieran también abrir alguna GUI al conectarse con ''ssh -X foo@server'' (por

hi guys, cannot get it to work - shellinabox - not being programmer nor selinux sorcerer. shellinabox via apache, when I ausearch it all I get is: #============= unconfined_service_t ============== #!!!! The file '/usr/bin/bash' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /usr/bin/bash allow unconfined_service_t unconfined_t:process transition; I have shellinabox in Apache's: <Location /cmd> AuthType Basic AuthName &q...

Hello everyone, Now after the recent discussion on running SSH on a different port, I decided to start a new thread but with SELinux involved. Assuming that you have SELinux enabled, and that you changed the default port for SSHD, let say for 1234, when I restart SSHD I don't get any AVC denials. This is the output of: semanage -l port | grep ssh ssh_port_t tcp

.... > So what do you really gain from selinux, and is that worthwhile all > the trouble and the hours spent to fix the problems it creates? What > about the impact on performance? The main feature is that lots of software is indeed confined (even though your normal login or desktop remains unconfined). This is exactly what happens to exim in your case. It is exim_t not unconfined_t which means when/if it goes crazy (or is exploited) the damage can be limited. For some people it's also useful that it provides the ability to define user types (see "semanage user --list"). /Pete...

...ation standpoint. It really depends on the location > of the machine. Is it deep in the bowels of your high security nuclear > bunker on an air gap network or is is merrily accepting incoming traffic > from China? Is the software is using an appropriate SELinux policy or is it > running unconfined or with SELinux turned off? > > It seems the PCI-DSS describe a set of simple rules to get IT managers > thinking but they are somewhat open to interpretation. Are you abiding to > the spirit of the regulations? The particular software requiring 0.9.8 is performing backups of the sys...

...rly a 'cd /' and an 'env -i' there. It does preserve $PATH though (also $TERM), which I view as a dirty environment. > No revision of the service command took > place to cope with context when SELinux appeared and so the service > inherits the current context, usually unconfined (which is wildly > wrong). Sometimes doing it this way is useful, but not often and when > it is one can invoke the service's init script directly. I'm pretty sure that what happens is that service runs the service scripts in /etc/rc.d/init.d/, which all have labels on them that...

On Fri, Nov 06, 2015 at 07:23:59PM -0800, Gordon Messmer wrote: > On 11/06/2015 06:30 PM, Jobst Schmalenbach wrote: > >What troubles me that a simple restart of the daemon fixes everything but it does not come up on reboot. > > Running the service script manually may not give you the same > selinux context as on boot. Services should be started using > "run_init"

On 16/03/18 18:37, Alexander Dalloz wrote: > Am 16.03.2018 um 13:09 schrieb hw: >> On 03/16/2018 12:14 PM, Richard Grainger wrote: >>>> Yet again I could not find any documentation explaining how to do basic >>>> things like this :(? Selinux is more like a curse than anything else >>>> :( Why >>>> is there not even a good documentation?

...t-script /usr/lib/libvirt/virt-aa-helper /usr/sbin/libvirtd /usr/sbin/ntpd /usr/sbin/rsyslogd /usr/sbin/tcpdump 3 processes have profiles defined. 0 processes are in enforce mode. 2 processes are in complain mode. /usr/sbin/libvirtd (30419) /usr/sbin/ntpd (3418) 1 processes are unconfined but have a profile defined. /usr/sbin/rsyslogd (626) And still get issues. From libvirtd.log: 2014-04-16 22:19:10.855+0000: 30419: info : libvirt version: 1.2.2 2014-04-16 22:19:10.855+0000: 30419: error : virNetSocketReadWire:1446 : Cannot recv data: Connection reset by peer 2014-04-16 22:1...

...This seems like a reasonable task for a Gnome user to do with out escalating privilege. I can't explain why growisofs needs getattr on all those disk devices, or why it "should" be denied. I have not texted extensively outside of the current scenario, but I do believe if the user is unconfined the burn process works as expected. There is a very old Fedora bug suggesting similar, but not identical behavior: https://bugzilla.redhat.com/show_bug.cgi?id=479014 --Sean

Greetings, I'm working with a new CentOS 7 installation, moving a system up from CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance requirements. However, while setting up the CentOS 7 environment one of the closed source applications is requiring 0.9.8. The software vendor has advised installing package openssl098e from yum; but I'm hesitant to do so from a

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 7 Aug 2014, Ben Johnson wrote: > On 7/29/2014 11:20 AM, Ben Johnson wrote: >> On 7/29/2014 3:13 AM, Steffen Kaiser wrote: >>> On Mon, 28 Jul 2014, Ben Johnson wrote: >>> >>>> I have some debugging output in my pipe script; the output looks >>> >>> How does your script looks like?

...ap on /dev/mapper/vgubuntu-swap_1. Priority:-2 extents:1 across:1003516k SSFS [ 12.268098] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null) [ 12.329682] audit: type=1400 audit(1578863114.057:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-senddoc" pid=916 comm="apparmor_parser" [ 12.331469] audit: type=1400 audit(1578863114.057:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/ippusbxd" pid=918 comm="apparmo...

...t; Wiki username is: GaryTierney > > I'd like to add some additional content to the HowTos/SELinux wiki page. > More specifically: additional tips on troubleshooting SELinux problems using > setools-console and audit utils, using Role-Based Access Control instead of > the default unconfined user configuration, and some pointers on authoring > local policies (some content specifically for the new SELinux userspace 2.5 > release on EL 7.3). > > It'd also be good to be able to continously update the HowTos/SELinux page, > as I have a bunch of docs that I'm workin...

...GaryTierney >> >> I'd like to add some additional content to the HowTos/SELinux wiki page. >> More specifically: additional tips on troubleshooting SELinux problems using >> setools-console and audit utils, using Role-Based Access Control instead of >> the default unconfined user configuration, and some pointers on authoring >> local policies (some content specifically for the new SELinux userspace 2.5 >> release on EL 7.3). >> >> It'd also be good to be able to continously update the HowTos/SELinux page, >> as I have a bunch of docs...