search for: unix_stream_socket

...ntee that it will be accessible from a virtual machine. The VM might be running under svirt_tcg_t context which will need a svirt_tcg_t label on the socket in order to access it. There is, however, another label, svirt_socket_t, which is accessible from virt_domain: # sesearch -A -s svirt_t -c unix_stream_socket -p connectto ... allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... }; ... And virt_domain is a type attribute of both svirt_t and svirt_tcg_t: # seinfo -x -a virt_domain Type Attributes: 1 attribute virt_domain; svirt_t svirt_tcg_t Resolve...

...tenforce enforcing > > This process is less iterative, which can save a *lot* of time > building some policies. This made the same content as before that caused problems: module myservice_policy 1.0; require { type dovecot_t; type mysqld_etc_t; type mysqld_t; class unix_stream_socket connectto; class file { getattr open read }; class dir read; } #============= dovecot_t ============== allow dovecot_t mysqld_etc_t:dir read; allow dovecot_t mysqld_etc_t:file { getattr open read }; #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. #!!!! F...

...am hitting an SE Linux denial - the httpd cannot talk to the BackupPC socket: type=AVC msg=audit(07/31/2008 17:18:53.623:410) : avc: denied { connectto } for pid=11767 comm=httpd path=/var/log/BackupPC/BackupPC.sock scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=AVC msg=audit(07/31/2008 17:18:53.623:410) : avc: denied { write } for pid=11767 comm=httpd name=BackupPC.sock dev=md0 ino=39813253 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:var_log_t:s0 tclass=sock_file Is there an easy way to fix this, like setting the BackupPC.sock f...

...{ type traceroute_port_t; type amavis_t; type postfix_spool_t; type clamd_t; type amavis_var_lib_t; type sysctl_kernel_t; type var_t; type postfix_smtpd_t; type initrc_t; type proc_t; class unix_stream_socket connectto; class file { read getattr }; class sock_file write; class lnk_file { read create unlink getattr }; class udp_socket name_bind; class dir { read search }; } #============= amavis_t ============== allow amavis_t amavis_var_lib_t:lnk_file {...

...ccess it. I don't really know enough about SELinux or the sVirt policy to comment on this, but it's plausible so I'll push it soon, thanks. Rich. > There is, however, another label, svirt_socket_t, which is accessible from > virt_domain: > > # sesearch -A -s svirt_t -c unix_stream_socket -p connectto > ... > allow virt_domain svirt_socket_t:unix_stream_socket { ... connectto ... }; > ... > > And virt_domain is a type attribute of both svirt_t and svirt_tcg_t: > > # seinfo -x -a virt_domain > Type Attributes: 1 > attribute virt_domain; &gt...

...> page and contact him directly to discuss the post. > > See: http://firstyear.id.au/blog/html/2011/07/05/SELinux_for_postfix_+_dovecot.html This page is about postfix and mysql, not dovecot and mysql. It does validate the allow that is failing on my system: allow dovecot_t mysqld_t:unix_stream_socket connectto; > > On this post referenced above, the author has a sample SELinux policy for postfix/dovecot and mysql. > While the post references an e-mail setup guide link that is no longer reachable, the policy file is still present in text. > > This URL: https://mgrepl.fedor...

...[sigpage] Apr 25 05:13:16 z9m9z dovecot: dict: Error: ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors] Which go away if I setenforce 0. :( myservice_policy.te has: module myservice_policy 1.0; require { type dovecot_t; type mysqld_etc_t; type mysqld_t; class unix_stream_socket connectto; class file { getattr open read }; class dir read; } #============= dovecot_t ============== allow dovecot_t mysqld_etc_t:dir read; allow dovecot_t mysqld_etc_t:file { getattr open read }; #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. #!!!! F...

...getattr ioctl link lock read rename setattr write unlink }; class dir { add_name getattr create read remove_name \ rename write search setattr rmdir }; class fifo_file { getattr write }; class filesystem getattr; class sock_file write; class unix_stream_socket { connectto getattr read write }; } #============= dovecot_t =============== allow dovecot_t home_root_t:file { create getattr link lock \ read rename setattr unlink write }; allow dovecot_t home_root_t:dir { add_name create remove_name write }; #============= dovecot_deliver_t ============== al...

Le mardi 25 avril 2017 ? 11:07 +0200, Robert Moskowitz a ?crit : > > On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote: > > Le mardi 25 avril 2017 ? 10:39 +0200, Robert Moskowitz a ?crit : > >> Thanks Laurent. You obviously know a LOT more about SELinux than I. I > >> pretty much just use commands and not build policies. So I need some > >> more

...sox_t lib_t:dir search; allow rawsox_t lib_t:file { read getattr execute }; allow rawsox_t lib_t:lnk_file read; allow rawsox_t usr_t:dir search; allow rawsox_t self:capability { net_raw setuid }; allow rawsox_t self:rawip_socket { create ioctl read write bind getopt setopt }; allow rawsox_t self:unix_stream_socket { create_socket_perms };

...; >> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. >> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock >> #!!!! This avc can be allowed using the boolean >> 'daemons_enable_cluster_mode' >> allow dovecot_t mysqld_t:unix_stream_socket connectto; >> >> What do these 3 comments mean? > > I'm not sure about the first two. The context you see is the same I > see on the one system where I run mysqld. Running restorecon doesn't > change that context. > > As for the latter, it sounds like you s...

Robert, in regards to your Postfix and Dovecot issue with MySQL and SELinux, > Apr 26 01:25:45 z9m9z dovecot: dict: Error: > mysql(/var/lib/mysql/mysql.sock): Connect failed to database > (postfix): Can't connect to local MySQL server through socket > '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry > Apr 26 01:25:45 z9m9z dovecot: dict: Error:

Le mardi 25 avril 2017 ? 10:39 +0200, Robert Moskowitz a ?crit : > Thanks Laurent. You obviously know a LOT more about SELinux than I. I > pretty much just use commands and not build policies. So I need some > more information here. > > From what you provided below, how do I determine what is currently in > place and how do I add your stuff (changing postgresql with

...nux-passenger-and-puppet-oh-my/comment-page-1/ . module puppet_passenger 1.7; require { type bin_t; type devpts_t; type httpd_t; type passenger_t; type port_t; type proc_net_t; class process { getattr siginh setexec sigchld noatsecure transition rlimitinh }; class unix_stream_socket { getattr accept read write }; class capability { sys_resource sys_ptrace }; class file { entrypoint open create relabelfrom relabelto getattr setattr read write append ioctl lock rename link unlink }; class lnk_file { getattr read }; class udp_socket name_bind; class dir { geta...

...type postfix_bounce_t; type ntpd_t; type kernel_t; type postfix_master_t; type rpcd_t; type dovecot_t; type klogd_t; type udev_t; type clamd_t; type mysqld_port_t; type initrc_var_run_t; type var_t; type postfix_qmgr_t; type postfix_pipe_t; type crond_t; class process ptrace; class unix_stream_socket connectto; class tcp_socket { name_bind name_connect }; class file { rename execute read lock create ioctl execute_no_trans write getattr link unlink }; class sock_file { setattr create write getattr unlink }; class lnk_file { read getattr }; class dir { search setattr read create write getatt...

...ry. The result looked like this: ---***--- module samba4local 1.0; require { type initrc_t; type named_t; type named_var_run_t; type ntpd_t; type ntpd_var_run_t; type smbd_t; type samba_unconfined_script_exec_t; type urandom_device_t; type var_lock_t; class unix_stream_socket connectto; class unix_dgram_socket sendto; class sock_file write; class chr_file write; class file { read write getattr open lock }; class dir { read search }; } #============= named_t ============== allow named_t urandom_device_t:chr_file write; #============= ntpd_t ========...

...at are the problems? > #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. > #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock > #!!!! This avc can be allowed using the boolean > 'daemons_enable_cluster_mode' > allow dovecot_t mysqld_t:unix_stream_socket connectto; > > What do these 3 comments mean? I'm not sure about the first two. The context you see is the same I see on the one system where I run mysqld. Running restorecon doesn't change that context. As for the latter, it sounds like you should be able to remove your custom...

...;/var/lib/mysql/mysql.sock' is mislabeled on your >>> system. >>> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock >>> #!!!! This avc can be allowed using the boolean >>> 'daemons_enable_cluster_mode' >>> allow dovecot_t mysqld_t:unix_stream_socket connectto; >>> >>> What do these 3 comments mean? >> >> I'm not sure about the first two. The context you see is the same I >> see on the one system where I run mysqld. Running restorecon doesn't >> change that context. >> >> As for...

...ain socket in init_t context. I'm guessing it's trying to write to stdout which is getting redirected to systemd's log. The service unit file has StandardOutput=syslog in order to capture the list of files backed up. The following selinux rule seems to fix this: allow rsync_t init_t:unix_stream_socket { getattr read write }; I also found it necessary to add --no-devices and --no-specials to my backup script, but I can live with that. A few devices show up in chroots and postfix has some sockets in its package. Those are easily recreated if I need to do a restore. So is this selinux rule an...

On 09/09/2018 07:19 AM, Daniel Walsh wrote: > sesearch -A -s httpd_t -t system_conf_t -p read > > If you feel that these files should not be part of the base_ro_files > then we should open that for discussion. I think the question was how users would know that the policy allowed access, as he was printing rules affecting httpd_t's file read access, and looking for