search for: unconfined

Displaying 20 results from an estimated 61 matches for "unconfined".

Did you mean: confined
2015 Jan 23
2
How to prevent root from managing/disabling SELinux
At work I'm used to tools like eTrust Access Control (aka SEOS). eTrust takes away the ability to manage the eTrust config from root and puts it in the hands of "security admin". So there's a good separation of duties; security admin control the security ruleset, but are limited by the OS permissions (so even if they granted themselves permission to modify /etc/shadow, the
2014 Jul 09
7
[Bug 81072] New: GPU lockup after "read fault at 0x0000039000 [PAGE_NOT_PRESENT]"
https://bugs.freedesktop.org/show_bug.cgi?id=81072 Priority: medium Bug ID: 81072 Assignee: nouveau at lists.freedesktop.org Summary: GPU lockup after "read fault at 0x0000039000 [PAGE_NOT_PRESENT]" QA Contact: xorg-team at lists.x.org Severity: normal Classification: Unclassified OS:
2019 Mar 28
1
Error Starting domain: Failed to page size of file
...e without any shared memory, the interface might not be operational Mar 28 18:03:04 dpdk-OptiPlex-5040 kernel: [ 4023.292264] audit: type=1400 audit(1553776384.755:31): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="libvirt-41b4eef0-b820-41da-9034-9de22e1379e0" pid=8689 comm="apparmor_parser" Mar 28 18:03:04 dpdk-OptiPlex-5040 kernel: [ 4023.292503] audit: type=1400 audit(1553776384.755:32): apparmor="STATUS" operation="profile_replace" info="same as cur...
2019 Jan 28
1
Samba and UFW
...martin-RB042AV-ABA-a1410y dbus-daemon[651]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.11' (uid=0 pid=678 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined") Jan 28 10:11:23 martin-RB042AV-ABA-a1410y systemd[1]: Starting Network Manager Script Dispatcher Service... Jan 28 10:11:23 martin-RB042AV-ABA-a1410y dbus-daemon[651]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher' Jan 28 10:11:23 martin-RB042AV-ABA-a1410y...
2017 Feb 23
4
Introduction / Edit group access for HowTos/SELinux
Hi, Wiki username is: GaryTierney I'd like to add some additional content to the HowTos/SELinux wiki page. More specifically: additional tips on troubleshooting SELinux problems using setools-console and audit utils, using Role-Based Access Control instead of the default unconfined user configuration, and some pointers on authoring local policies (some content specifically for the new SELinux userspace 2.5 release on EL 7.3). It'd also be good to be able to continously update the HowTos/SELinux page, as I have a bunch of docs that I'm working on locally in AsciiDo...
2011 Dec 15
3
GUIs para R en 'jaulas' ssh con JailKit y chroot
Hola: En el trabajo tengo que montar acceso a investigadores a uno de los servidores de cálculo de la unidad, y he conseguido ya montar un R dentro de una jaula ssh con JailKit (chroot). http://olivier.sessink.nl/jailkit/ https://launchpad.net/jailkit Ahora bien, quería probar que los usuarios pudieran también abrir alguna GUI al conectarse con ''ssh -X foo@server'' (por
2018 Jun 15
0
shellinabox via proxy(apache)
hi guys, cannot get it to work - shellinabox - not being programmer nor selinux sorcerer. shellinabox via apache, when I ausearch it all I get is: #============= unconfined_service_t ============== #!!!! The file '/usr/bin/bash' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /usr/bin/bash allow unconfined_service_t unconfined_t:process transition; I have shellinabox in Apache's: <Location /cmd> AuthType Basic AuthName &quo...
2009 Oct 25
1
Running SSH on a different port (with SELinux)
Hello everyone, Now after the recent discussion on running SSH on a different port, I decided to start a new thread but with SELinux involved. Assuming that you have SELinux enabled, and that you changed the default port for SSHD, let say for 1234, when I restart SSHD I don't get any AVC denials. This is the output of: semanage -l port | grep ssh ssh_port_t tcp
2018 Mar 20
2
selinux: how to allow access?
.... > So what do you really gain from selinux, and is that worthwhile all > the trouble and the hours spent to fix the problems it creates? What > about the impact on performance? The main feature is that lots of software is indeed confined (even though your normal login or desktop remains unconfined). This is exactly what happens to exim in your case. It is exim_t not unconfined_t which means when/if it goes crazy (or is exploited) the damage can be limited. For some people it's also useful that it provides the ability to define user types (see "semanage user --list"). /Peter...
2015 Oct 21
6
Security implications of openssl098e on CentOS 7
...ation standpoint. It really depends on the location > of the machine. Is it deep in the bowels of your high security nuclear > bunker on an air gap network or is is merrily accepting incoming traffic > from China? Is the software is using an appropriate SELinux policy or is it > running unconfined or with SELinux turned off? > > It seems the PCI-DSS describe a set of simple rules to get IT managers > thinking but they are somewhat open to interpretation. Are you abiding to > the spirit of the regulations? The particular software requiring 0.9.8 is performing backups of the syste...
2015 Nov 09
1
After reboot of web-server accessing website shows "Forbidden", restarting httpd all is fine
...rly a 'cd /' and an 'env -i' there. It does preserve $PATH though (also $TERM), which I view as a dirty environment. > No revision of the service command took > place to cope with context when SELinux appeared and so the service > inherits the current context, usually unconfined (which is wildly > wrong). Sometimes doing it this way is useful, but not often and when > it is one can invoke the service's init script directly. I'm pretty sure that what happens is that service runs the service scripts in /etc/rc.d/init.d/, which all have labels on them that i...
2015 Nov 08
2
After reboot of web-server accessing website shows "Forbidden", restarting httpd all is fine
On Fri, Nov 06, 2015 at 07:23:59PM -0800, Gordon Messmer wrote: > On 11/06/2015 06:30 PM, Jobst Schmalenbach wrote: > >What troubles me that a simple restart of the daemon fixes everything but it does not come up on reboot. > > Running the service script manually may not give you the same > selinux context as on boot. Services should be started using > "run_init"
2018 Mar 16
3
selinux: how to allow access?
On 16/03/18 18:37, Alexander Dalloz wrote: > Am 16.03.2018 um 13:09 schrieb hw: >> On 03/16/2018 12:14 PM, Richard Grainger wrote: >>>> Yet again I could not find any documentation explaining how to do basic >>>> things like this :(? Selinux is more like a curse than anything else >>>> :( Why >>>> is there not even a good documentation?
2014 Apr 16
2
Re: LXC + USB passthrough = Operation not permitted
...t-script /usr/lib/libvirt/virt-aa-helper /usr/sbin/libvirtd /usr/sbin/ntpd /usr/sbin/rsyslogd /usr/sbin/tcpdump 3 processes have profiles defined. 0 processes are in enforce mode. 2 processes are in complain mode. /usr/sbin/libvirtd (30419) /usr/sbin/ntpd (3418) 1 processes are unconfined but have a profile defined. /usr/sbin/rsyslogd (626) And still get issues. From libvirtd.log: 2014-04-16 22:19:10.855+0000: 30419: info : libvirt version: 1.2.2 2014-04-16 22:19:10.855+0000: 30419: error : virNetSocketReadWire:1446 : Cannot recv data: Connection reset by peer 2014-04-16 22:19:...
2019 May 01
1
Brasero/cdrecord/growisofs with selinux users confined to staff_u
...This seems like a reasonable task for a Gnome user to do with out escalating privilege. I can't explain why growisofs needs getattr on all those disk devices, or why it "should" be denied. I have not texted extensively outside of the current scenario, but I do believe if the user is unconfined the burn process works as expected. There is a very old Fedora bug suggesting similar, but not identical behavior: https://bugzilla.redhat.com/show_bug.cgi?id=479014 --Sean
2015 Oct 21
5
Security implications of openssl098e on CentOS 7
Greetings, I'm working with a new CentOS 7 installation, moving a system up from CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance requirements. However, while setting up the CentOS 7 environment one of the closed source applications is requiring 0.9.8. The software vendor has advised installing package openssl098e from yum; but I'm hesitant to do so from a
2014 Aug 07
2
Exit status code 134; what is it, in the context of Dovecot Antispam plug-in?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 7 Aug 2014, Ben Johnson wrote: > On 7/29/2014 11:20 AM, Ben Johnson wrote: >> On 7/29/2014 3:13 AM, Steffen Kaiser wrote: >>> On Mon, 28 Jul 2014, Ben Johnson wrote: >>> >>>> I have some debugging output in my pipe script; the output looks >>> >>> How does your script looks like?
2020 Jan 12
2
Display broken after resume from suspend
...ap on /dev/mapper/vgubuntu-swap_1. Priority:-2 extents:1 across:1003516k SSFS [ 12.268098] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null) [ 12.329682] audit: type=1400 audit(1578863114.057:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-senddoc" pid=916 comm="apparmor_parser" [ 12.331469] audit: type=1400 audit(1578863114.057:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/ippusbxd" pid=918 comm="apparmor_...
2017 Feb 23
1
Introduction / Edit group access for HowTos/SELinux
...t; Wiki username is: GaryTierney > > I'd like to add some additional content to the HowTos/SELinux wiki page. > More specifically: additional tips on troubleshooting SELinux problems using > setools-console and audit utils, using Role-Based Access Control instead of > the default unconfined user configuration, and some pointers on authoring > local policies (some content specifically for the new SELinux userspace 2.5 > release on EL 7.3). > > It'd also be good to be able to continously update the HowTos/SELinux page, > as I have a bunch of docs that I'm working...
2017 Feb 23
0
Introduction / Edit group access for HowTos/SELinux
...GaryTierney >> >> I'd like to add some additional content to the HowTos/SELinux wiki page. >> More specifically: additional tips on troubleshooting SELinux problems using >> setools-console and audit utils, using Role-Based Access Control instead of >> the default unconfined user configuration, and some pointers on authoring >> local policies (some content specifically for the new SELinux userspace 2.5 >> release on EL 7.3). >> >> It'd also be good to be able to continously update the HowTos/SELinux page, >> as I have a bunch of docs t...