search for: usr_t

Hi, I've done the following: - Copy usr content with rsync to another partition: rsync -av --partial --progress /usr/ /mnt Then, unmounted, added to fstab a line for /usr, then deleted /usr/* (not the directory itself). But I've found that is bad labeled: ls -Z /usr unconfined_u:object_r:unlabeled_t:s0 bin unconfined_u:object_r:unlabeled_t:s0 local unconfined_u:object_r:unlabeled_t:s0

...under KVM today and I've been getting a slew of message > that selinux is blocking virtmanager from reading the new image. This > doesn't seem to be doing any harm, but I wanted to check whether I should > simply run chcon on the image (if I can). > > Virtmanager show up as usr_t, as do my other vm images, but the new one is > svirt_image_t. > > The selinux error says it denied a read access to virtmanager but that it > is not expected that the access is required. > > I tried running restorecon as root, as suggested by the selinux error, but > I'm g...

...t,rawsox_exec_t,rawsox_t) ######################################## # Rawsox local policy # these two didn't help #corenet_raw_sendrecv_all_if( rawsox_t ); #corenet_raw_sendrecv_all_nodes( rawsox_t ); require { type lib_t; type ld_so_t; type ld_so_cache_t; type usr_t; type devpts_t; type rawsox_t; type etc_t; class lnk_file read; class dir search; class file { read getattr execute }; class chr_file { read write getattr }; class rawip_socket create; class capability net_raw; } #============= rawso...

...; > > #============= clamscan_t ============== > allow clamscan_t amavis_spool_t:dir read; In the latest rhel6 policies amavas_t and clamscan_t have been merged into antivirus_t? Is you selinux-policy up 2 date? > #============= logwatch_mail_t ============== > allow logwatch_mail_t usr_t:lnk_file read; > > #============= postfix_master_t ============== > allow postfix_master_t tmp_t:dir read; > > #============= postfix_postdrop_t ============== > allow postfix_postdrop_t tmp_t:dir read; > > #============= postfix_showq_t ============== > allow postfix_sho...

...Linux audit logs: type=AVC msg=audit(1223133076.770:102): avc: denied { execmod } for pid=3878 comm="beam.smp" path="/opt/ejabberd-2.0.2_2/lib/crypto-1.5.2/priv/linux-x86/lib/crypto_drv.so" dev=dm-0 ino=26738869 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file What do I need to do, for selinux to allow this? (Or should I take this question to an SELinux list?) FWIW, ejabberd seems to run fine while selinux is enabled. Its just when starting up, that it needs selinux to stay out of the way.

I built a new VM under KVM today and I've been getting a slew of message that selinux is blocking virtmanager from reading the new image. This doesn't seem to be doing any harm, but I wanted to check whether I should simply run chcon on the image (if I can). Virtmanager show up as usr_t, as do my other vm images, but the new one is svirt_image_t. The selinux error says it denied a read access to virtmanager but that it is not expected that the access is required. I tried running restorecon as root, as suggested by the selinux error, but I'm getting a permission-denied error...

...of a nfs directory. I'm specifying the security context as part of the mount command, yet the security context still shows nfs. The mount shows what the security context should be: [root at clienthost ~]# mount serverhost:/usr/local on /usr/local type nfs4 (rw,context="system_u:object_r:usr_t:s0",hard,intr,addr=serverhost,clientaddr=clienthost) yet the directory permissions show the security context of nfs: [root at clienthost ~]# ls -dZ /usr/local drwxr-xr-x. root root system_u:object_r:nfs_t:s0 /usr/local My /etc/fstab entry is: serverhost:/usr/local /usr/local nfs...

...t of the list.... [root@ local]# semanage fcontext -l | grep netdot ./netdot(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 ... but does not appear on the directory itself: [root@ local]# ls -ldZ netdot/ drwxr-xr-x. root root unconfined_u:object_r:*usr_t*:s0 netdot/ I am expecting to see something like: drwxr-xr-x. root root unconfined_u:object_r:*httpd_sys_rw_content_t*:s0 netdot/ What am I doing wrong or do not understand? Thanks,

...Dynamics. But even after doing that the SELinux errors in the output of systemctl status httpd are still happening. And if I take a look at the SELinux permissions on that directory, this is what I have: [root at web1:~] #ls -lZ /opt/ | grep -i appd drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 AppDynamics [root at web1:~] #ls -lZ /opt/AppDynamics/ drwxrwxr-x. apache apache unconfined_u:object_r:usr_t:s0 appdynamics-php-agent drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 var Anyone have any ideas on how I can beat this problem? Thanks!! Tim On Mon, May 11, 2015 at 3:...

I am seeing these avc messages on a newly commissioned and up-to-date CentOs-6 virtual guest: ---- time->Thu Dec 4 12:14:58 2014 type=SYSCALL msg=audit(1417713298.610:60522): arch=c000003e syscall=2 success=no exit=-13 a0=7fd70e6de1e6 a1=0 a2=1b6 a3=0 items=0 ppid=2698 pid=4294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2784 comm="trivial-rewrite"

...al policy >> >> # these two didn't help >> #corenet_raw_sendrecv_all_if( rawsox_t ); >> #corenet_raw_sendrecv_all_nodes( rawsox_t ); >> >> require { >> type lib_t; >> type ld_so_t; >> type ld_so_cache_t; >> type usr_t; >> type devpts_t; >> type rawsox_t; >> type etc_t; >> class lnk_file read; >> class dir search; >> class file { read getattr execute }; >> class chr_file { read write getattr }; >> class rawip_socket cr...

...type postfix_local_t; type postfix_master_t; type postfix_postdrop_t; type postfix_postqueue_exec_t; type postfix_public_t; type postfix_pipe_t; type sendmail_t; type sendmail_exec_t; type src_t; type tmp_t; type usr_t; type user_home_dir_t; type user_home_t; type var_log_t; class capability { sys_nice chown }; class file { append create execute execute_no_trans \ getattr ioctl link lock read rename setattr write unlink }; class dir { add_name getattr crea...

> > If rpm is configured for _that_ location of log files, I would remove the > repository this rpm comes from from configuration and will remember to > never-never ever use that repository for anything. > > Just my $0.02 > Yeah I completely get where you're coming from there. However it's not an RPM from a repo. I downloaded the rpm from the appdynamics site itself.

...udit/audit.log | audit2allow #============= amavis_t ============== allow amavis_t shell_exec_t:file execute; allow amavis_t sysfs_t:dir search; #============= clamscan_t ============== allow clamscan_t amavis_spool_t:dir read; #============= logwatch_mail_t ============== allow logwatch_mail_t usr_t:lnk_file read; #============= postfix_master_t ============== allow postfix_master_t tmp_t:dir read; #============= postfix_postdrop_t ============== allow postfix_postdrop_t tmp_t:dir read; #============= postfix_showq_t ============== allow postfix_showq_t tmp_t:dir read; #============= postf...

...no unapplied fixes for software provided through the official CentOS-6 repositories. Does this change apply only to 7 or has it been backported? Both amavisd-new and clamav are provided via the epel repository. >> #============= logwatch_mail_t ============== >> allow logwatch_mail_t usr_t:lnk_file read; >> >> #============= postfix_master_t ============== >> allow postfix_master_t tmp_t:dir read; >> >> #============= postfix_postdrop_t ============== >> allow postfix_postdrop_t tmp_t:dir read; >> >> #============= postfix_showq_t =====...

...raproject.org/mailman/listinfo/selinux SELinux on RHEL5 did not have a MLS field in the label, so the directory can not be used by both rhel5 and RHEL6 easily. If all of the content on the device is going to be labeled the same, then just use a context mount option context="system_u:object_r:usr_t:s0" for example.

...ried /.autorelabel and > rebooted, and we still get a ton of errors: Jun 1 17:01:32 <server> kernel: > inode_doinit_with_dentry: > context_to_sid(unconfined_u:object_r:file_t:s0) returned 22 for dev=sdd1 ino=2151541032 Dan's recommendation to add context="system_u:object_r:usr_t:s0" to the mount options in fastab does indeed seem to have solve the problem. Thanks muchly, Dan. mark

...s had the right selinux security context, but the root of the disk holding those home directories (/branch is a separate disk drive) had a security context (system_u:object_r:mnt_t) that Fedora's selinux rules for dovecot did not allow. I changed the context of /branch to system_u:object_r:usr_t, and dovecot POP3 access worked for all users.

...mm="suexec" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_suexec_t tclass=netlink_route_socket avc: denied { read } for pid=17995 comm="suexec" name="cert.pem" dev=dm-0 ino=520402 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:usr_t tclass=lnk_file %-------------------------- This is independent of the script being perl or sh, and despite the errors the cgi executes correctly. 'sestatus' reports: httpd_builtin_scripting active httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs in...

Tried just the selinux list yesterday, no answers, so I'm trying again. I partitioned GPT, and formatted, as xfs, a large (3TB) drive on a CentOS 6 system, which has selinux in permissive mode. I then moved the drive to a CentOS 5 system. When we run a copy (it mirror-copies from another system), we get a ton of errors. I discovered that the CentOS 5 system was enforcing. I changed it to