search for: unconfined_t

...s on a modified CentOS-6.2 (turned into a xen-4.1 host) : I get SELinux errors, and I'm not able to understand them. From audit2why : type=AVC msg=audit(1343724164.898:298772): avc: denied { mac_admin } for pid=12399 comm="restore" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 ... and from audit2allow : #============= unconfined_t ============== allow unconfined_t self:capability2 mac_admin; I don't know what triggers these records in /var/log/audit (everything seems to...

Hi. I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled, and audit.log / audit2allow tell me I need to add the local policy: #============= httpd_t ============== allow httpd_t unconfined_t:shm { unix_read unix_write }; which I think will allow the httpd access to read and write from shared memory? Is that right? What are the risks involved in opening this? I notice it is denied by the default policy. To simplify configuration management, I would prefer to make this setting using...

Andreas- On Thu, Apr 3, 2008 at 8:31 AM, Andreas Rogge <a.rogge@solvention.de> wrote: > Do you have SELinux enabled? When starting puppet from init.d with SELinux enabled it runs in xinitrc_t while it should (at least imo) run in unconfined_t. Running in xinitrc_t lead to *really* strange things. Everything way fixed once I deployed a policy that made puppetd run in unconfined_t. > Would you mind sharing you selinux policies for puppet? That would be one less app I will have to figure selinux out for. Also if it is okay with you I...

...ist] On Mon, Jan 13, 2014 at 03:05:14PM -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/13/2014 11:49 AM, Richard W.M. Jones wrote: > > On Mon, Jan 13, 2014 at 10:20:22AM -0500, Daniel J Walsh wrote: > >> Secondly we prevent even unconfined_t from putting down labels on the > >> file system that the kernel does not understand. IE If I am building a > >> F21 image on a RHEL6 box, it would blow up in enforcing mode if run as > >> unconfined_t. We added a special policy called livecd_t that is allowed > >...

...the daemon and all operations in the API and processes run from the daemon: $ ./fish/guestfish --ro -a /dev/mapper/vg_trick-F11x64 \ selinux 1 : \ run : \ mount /dev/vg_f11x64/lv_root / : \ sh "/usr/sbin/load_policy" : \ getcon : \ setcon "system_u:system_r:unconfined_t:s0" : \ getcon system_u:system_r:kernel_t:s0 system_u:system_r:unconfined_t:s0 Rich. -- Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Lin...

With a recent update of CentOS4, su's behavior has changed, in that after prompting for password, also prompts for (selinux?) context. I'm seeing something like: $ su Password: Your default context is root:system_r:unconfined_t. Do you want to choose a different one? [n] kde's kdesu barfs on this second prompt. Any way to disable this second prompt? -- Rex

...inabox, do you use it? I in pretty vanilla setup get selinux denials and cannot login. Selinux says: #============= unconfined_service_t ============== #!!!! The file '/usr/bin/bash' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /usr/bin/bash allow unconfined_service_t unconfined_t:process transition; but that does not seem right to me, to allow such a transition, right? many thanks, L.

hi i just installed my system then shutit down. after booting it up i can't login to root so i did a linux rescue with the CD and when i tried to type passwd this error message appear? "user_u:system_r:unconfined_t is not authorized to change the password of root" -- Regards, Mark Quitoriano, CCNA Fan the flame... http://www.spreadfirefox.com/?q=user/register&r=19441 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachme...

...! One note, when I first ran that (using sudo), I received the following SELinux denials: type=AVC msg=audit(1374507059.429:625): avc: denied { transition } for pid=8600 comm="virsh" path="/usr/bin/bash" dev="dm-3" ino=1842877 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1374507059.429:625): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f87443a7a30 a1=7f87444287e0 a2=7fff38cd3c40 a3=8 items=0 ppid=0 pid=8600 auid=1000 uid=0 gid=0 euid=0 suid=0 fsui...

...at centos6-paas-dev ~]# netstat -pnaevZ Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name Security Context ... tcp 0 0 10.10.10.205:12049 0.0.0.0:* LISTEN 505 224898 9331/gotour fined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [appengine at centos6-paas-dev gotour]$ getenforce Permissive Any ideas? -- - EJR

On Wed, April 1, 2015 16:09, Andrew Holway wrote: > I used the command: semanage port -m -t http_port_t -p tcp 8000 > to relabel a port. perhaps you could try: > "semanage port -m -t unconfined_t -p tcp 8000" > Failing that; would it work to run your application in the httpd_t > domain? > I ended up having to create a custom policy to allow the other application to have access to the http_port_t context. Which is not an issue given that no httpd service is, or will ever be,...

Hi All, Thanks for the information. But after resetting the semanage User/login, and moving the targeted folder to old one and then install the default target. then also its still showing the Id context as context=*system_u:system_r:unconfined_t:s0-s0:c0.c1023.* *What I observed is after changing the permission using semanage command also, its still showing the system_u:system_r. * *Check the semanage login/User output :* *semanage login -l* *Login Name SELinux User MLS/MCS Range Service* *__default__...

Centos 4.2 Dec 29 10:04:10 z9m9z dbus: Can't send to audit system: USER_AVC pid=1997 uid=81 loginuid=-1 message=avc: denied { send_msg } for scontext=root:system_r:unconfined_t tcontext=user_u:system_r:initrc_t tclass=dbus Dec 29 10:04:45 z9m9z last message repeated 7 times Dec 29 10:05:50 z9m9z last message repeated 13 times Dec 29 10:06:55 z9m9z last message repeated 13 times Dec 29 10:07:56 z9m9z last message repeated 12 times I get this entry a lot.

...comm="mysqld" name="tmp" dev=dm-0 ino=2894305 scontext=root:system_r:mysqld_t tcontext=root:object_r:root_t tclass=dir Nov 12 00:48:59 srv1 dbus: Can't send to audit system: USER_AVC pid=2839 uid=81 loginuid=-1 message=avc: denied { send_msg } for scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:initrc_t tclass=dbus Nov 12 00:49:04 srv1 dbus: Can't send to audit system: USER_AVC pid=2839 uid=81 loginuid=-1 message=avc: denied { send_msg } for scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:initrc_t tclass=dbus Nov 12 00:49:05 srv1 mysqld: Start...

...to CentOS before using it on live servers. Anyway when I log into X (gnome, gdm) I start getting the following in /var/log/messages Nov 30 12:47:39 needme dbus: Can't send to audit system: USER_AVC pid=2916 uid=81 loginuid=-1 message=avc: denied { send_msg } for scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:initrc_t tclass=dbus Nov 30 12:48:10 needme last message repeated 7 times Nov 30 12:48:12 needme gconfd (MYUSERNAME-3780): Resolved address "xml:readwrite:/home/MYUSERNAME/.gconf" to a writable configuration source at position 0 Nov 30 12:48:15 needme dbus: Can...

...ypto libs. This message appears in the SELinux audit logs: type=AVC msg=audit(1223133076.770:102): avc: denied { execmod } for pid=3878 comm="beam.smp" path="/opt/ejabberd-2.0.2_2/lib/crypto-1.5.2/priv/linux-x86/lib/crypto_drv.so" dev=dm-0 ino=26738869 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file What do I need to do, for selinux to allow this? (Or should I take this question to an SELinux list?) FWIW, ejabberd seems to run fine while selinux is enabled. Its just when starting up, that it needs selinux to stay out of the way.

...elinux-policy and see the required type of passenger_t is working so unsure why it doesn't work in my policy. The policy from audit2allow generates this when using "grep -e 'httpd\|passenger'" but it seems like too much allowance module passenger 1.0; require { type unconfined_t; type semanage_t; type init_t; type system_cronjob_t; type mysqld_t; type syslogd_t; type apmd_t; type initrc_t; type postfix_local_t; type puppet_etc_t; type setfiles_t; type rpm_t; type unlabeled_t;...

...e trouble and the hours spent to fix the problems it creates? What > about the impact on performance? The main feature is that lots of software is indeed confined (even though your normal login or desktop remains unconfined). This is exactly what happens to exim in your case. It is exim_t not unconfined_t which means when/if it goes crazy (or is exploited) the damage can be limited. For some people it's also useful that it provides the ability to define user types (see "semanage user --list"). /Peter K

Hello everyone, I have a question about logging. I need to find out whether it is possible to see user id/session id inside logs or somewhere else. It is not passed in structured across the network, so where should I look to find out, which user (which session) is currently performing the actions?

...preter /usr/bin/wine/wine-pthread >flags: >offset 0 >magic 4d5a Then I *cannot* run the casio program directly - I get an AVC error >Jul 30 19:01:42 surfer kernel: audit(1154304102.342:1745): avc: denied { execmem } for pid=13475 comm="casio" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process * If I set the security contect for the binary "casio" the same as "wine" then it runs: >[wowbaggr@surfer bin]$ ls -lZ casio >-rwxr-xr-x wowbaggr wowbaggr system_u:object_r:wine_exec_t casio This leads me...