search for: user_home_t

...permissive (or turned off altogether). This problem does not evidence itself unless the account is chrooted. The output from audit2allow is this: sudo audit2allow -l -a #============= chroot_user_t ============== allow chroot_user_t cyphesis_port_t:tcp_socket name_connect; allow chroot_user_t user_home_t:chr_file open; #============= syslogd_t ============== #!!!! The source type 'syslogd_t' can write to a 'dir' of the following types: # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile, cluster_var_lib_t, cluster_var_ru...

...ss for now by executing: > # ausearch -c 'bash' --raw | audit2allow -M my-bash > # semodule -X 300 -i my-bash.pp > > > Additional Information: > Source Context system_u:system_r:container_t:s0:c62,c364 > Target Context unconfined_u:object_r:user_home_t:s0 > Target Objects /usr/lib/libreadline.so.8.2 [ file ] > Source bash > Source Path /bin/bash > Port <Unknown> > Host <Unknown> > Source RPM Packages ba...

On 3/22/23 12:42, Daniel P. Berrang? wrote: > On Wed, Mar 22, 2023 at 12:13:49PM +0100, Laszlo Ersek wrote: >> On 3/22/23 11:42, Laszlo Ersek wrote: >> >>> Now the "podman build -f ci/containers/alpine-edge.Dockerfile -t >>> libnbd-alpine-edge" command is failing with a different error message -- >>> the download completes, but the internal

...e rsync -aiX --fake-super --link-dest=../chk . ../to with this result: --- omitted --- user.dir1="need to test directory xattrs too" user.dir2="another xattr" user.dir3="this is one last one for the moment" +user.rsync.security.selinux="unconfined_u:object_r:user_home_t:s0" --- omitted --- for basically every file. This only happens when the --fake-super option is on. For instance line rsync-3.1.2/rsync -aiX -H --super --link-dest=../chk . ../to is not affected. Looking at the xls() method in the test, it uses 'getfattr -d'. The original files...

...labels when selinux is set to either permissive or disabled. I wasn't able to find any definitive information on this, but testing by creating a new file in my home directory showed: SELINUX=enforcing: $ rm -f test $ touch test $ ls -lZ test -rw-rw-r--. 1 rjones rjones unconfined_u:object_r:user_home_t:s0 0 Jun 24 09:48 test permissive: -rw-rw-r--. 1 rjones rjones unconfined_u:object_r:user_home_t:s0 0 Jun 24 09:49 test disabled: -rw-rw-r-- 1 rjones rjones ? 0 Jun 24 09:54 test Anyway I think we at least need to treat enforcing and permissive the same way. Rich. -- Richard Jones, Virtualiza...

https://bugzilla.samba.org/show_bug.cgi?id=10496 Summary: --itemize-changes always reports xattr changes with --xattrs --fake-super Product: rsync Version: 3.1.1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P5 Component: core AssignedTo: wayned at

...t+found or .journal there, so I guess those are really innocuous.) I dug in deeper and I found out that the source of the problem is most probably in this file: /etc/selinux/targeted/contexts/files/file_contexts.homedirs Among its contents are these lines: /usr/local/[^/]*/.+ user_u:object_r:user_home_t:s0 /usr/local/[^/]*/.*/plugins/nprhapengine\.so.* -- user_u:object_r:textrel_shlib_t:s0 /usr/local/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0 /usr/local/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t:s0 /usr/local/[^/]*/\.mozill...

On Wed, Sep 23, 2020 at 05:57:50PM +0200, Pino Toscano wrote: > Do not attempt to relabel a guest in case its SELinux enforcing mode is > not "enforcing", as it is either pointless, or it may fail because of an > invalid policy configured. > --- > mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++- > 1 file changed, 25 insertions(+), 1 deletion(-) >

...ep 24 12:26 /tmp/test $ mv /tmp/test ~/var/ $ ls -lZ ~/var/test -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 12:26 /home/ptoscano/var/test $ restorecon -v ~/var/test Relabeled /home/ptoscano/var/test from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:user_home_t:s0 $ ls -lZ ~/var/test -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_home_t:s0 0 Sep 24 12:26 /home/ptoscano/var/test Considering that /tmp is a general location for temporary files, it's common that files may end with a tmp_t-alike label when moved back to the destination place...

...auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=2 comm="smbd" exe="/usr/sbin/smbd" subj=user_u:system_r:smbd_t:s0 key=(null) # ls -aldZ /home/afarber/src (same result at both old and new VMs) drwxrwxr-x afarber afarber user_u:object_r:user_home_t /home/afarber/src # ls -aldZ /home/afarber/ drwx------ afarber afarber user_u:object_r:user_home_dir_t /home/afarber/ Does anybody please know a magic command here? Thank you Alex

On Tuesday, 5 May 2020 17:44:15 CEST Richard W.M. Jones wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1828952#c2 I think we need to do a different approach than this patch. The biggest thing is that currently we check only SELINUXTYPE for the actual policy, however we do not check SELINUX in case SELinux is in enforcing mode at all. IMHO we rather need to read

...; $ mv /tmp/test ~/var/ > $ ls -lZ ~/var/test > -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 12:26 /home/ptoscano/var/test > $ restorecon -v ~/var/test > Relabeled /home/ptoscano/var/test from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:user_home_t:s0 > $ ls -lZ ~/var/test > -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_home_t:s0 0 Sep 24 12:26 /home/ptoscano/var/test That's definitely a weird thing. Bug maybe? > Considering that /tmp is a general location for temporary files, it's > common that files may...

...master_t; type postfix_postdrop_t; type postfix_postqueue_exec_t; type postfix_public_t; type postfix_pipe_t; type sendmail_t; type sendmail_exec_t; type src_t; type tmp_t; type usr_t; type user_home_dir_t; type user_home_t; type var_log_t; class capability { sys_nice chown }; class file { append create execute execute_no_trans \ getattr ioctl link lock read rename setattr write unlink }; class dir { add_name getattr create read remove_name \ rename write search seta...

https://bugzilla.samba.org/show_bug.cgi?id=10357 Summary: make check fails for xattr tests Product: rsync Version: 3.0.9 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P5 Component: core AssignedTo: wayned at samba.org ReportedBy: psimerda at redhat.com

...00:02 foo [adalloz at centos8 ~]$ LANG=C stat foo File: foo Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd02h/64770d Inode: 788575 Links: 1 Access: (0600/-rw-------) Uid: ( 1000/ adalloz) Gid: ( 1000/ adalloz) Context: unconfined_u:object_r:user_home_t:s0 Access: 2019-10-26 00:02:37.707079231 +0200 Modify: 2019-10-26 00:02:37.707079231 +0200 Change: 2019-10-26 00:04:26.920196480 +0200 Birth: - Not sure what you were doing. Alexander

Hi, I'm currently setting up a local LAMP server to test various apps. Starting from the out-of-the-box configuration of Apache, I test it, and it's OK: http://localhost shows Apache's default page OK in Firefox. Now I edit /etc/httpd/conf/httpd.conf and replace 'UserDir disabled' by 'UserDir public_html'. I restart Apache. Then, as a normal user (kikinovak): $

...> udit: type=1400 audit(1559768703.229:36): avc: denied { map } for > pid=7116 comm="syz-executor330" path="/root/syz-executor330334897" > dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 > executing program > executing program > BUG: memory leak > unreferenced object 0xffff88812421fe40 (size 64): > comm "syz-executor330", pid 7117, jiffies 4294949245 (age 13.030s) > hex dump (first 32 bytes): > 01 00 00 00 20 69...

...> udit: type=1400 audit(1559768703.229:36): avc: denied { map } for > pid=7116 comm="syz-executor330" path="/root/syz-executor330334897" > dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 > executing program > executing program > BUG: memory leak > unreferenced object 0xffff88812421fe40 (size 64): > comm "syz-executor330", pid 7117, jiffies 4294949245 (age 13.030s) > hex dump (first 32 bytes): > 01 00 00 00 20 69...

...any operation from now on fails, we need to ask the caller to * restore labels. Which is right after selinux labels are set on VM startup. This is then easy to reproduce with: virsh start kernel1 (sleeps) virsh start kernel2 && virsh destroy kernel2 The shared vmlinuz is reset to user_home_t after kernel2 is shut down, so kernel1 fails to start after the patch's timeout When we detect similar issues with <disk> devices, like when the media already has the expected label, we encode 'relabel=no' in the disk XML, which tells libvirt not to run restorecon on the disks pa...

..._t:s0 tclass=file permissive=1 audit: type=1400 audit(1521377077.866:7): avc: denied { map } for pid=4228 comm="syzkaller050160" path="/root/syzkaller050160487" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 ------------[ cut here ]------------ kernel BUG at drivers/vhost/vhost.c:1655! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 4228 Comm: syzkaller050160 Not tainted 4.16.0-rc5+ #357 Hardware name: Google...