search for: var_run_t

Hi, since 4.12 Samba SELinux context for /var/run/samba is not correct anymore: ``` root at files:~ # ls -la -Z /var/run/samba/ total 12 drwxr-xr-x. 5 root root system_u:object_r:var_run_t:s0 160 Apr 3 20:42 . drwxr-xr-x. 30 root root system_u:object_r:var_run_t:s0 1000 Apr 3 18:39 .. drwxr-xr-x. 3 root root system_u:object_r:var_run_t:s0 60 Apr 3 18:39 ncalrpc drwxr-xr-x. 2 root root system_u:object_r:var_run_t:s0 60 Apr 3 18:39 nmbd -rw-r--r--. 1 root root system_u:...

...On 03/04/2020 20:34, Tobias Kirchhofer via samba wrote: >> Hi, since 4.12 Samba SELinux context for /var/run/samba is not >> correct anymore: >> >> ``` >> root at files:~ # ls -la -Z /var/run/samba/ >> total 12 >> drwxr-xr-x.? 5 root root system_u:object_r:var_run_t:s0? 160 Apr 3 >> 20:42 . >> drwxr-xr-x. 30 root root system_u:object_r:var_run_t:s0 1000 Apr 3 >> 18:39 .. >> drwxr-xr-x.? 3 root root system_u:object_r:var_run_t:s0?? 60 Apr 3 >> 18:39 ncalrpc >> drwxr-xr-x.? 2 root root system_u:object_r:var_run_t:s0?? 60 Ap...

I am installing a new Samba 4.2 Active Directory server on CentOS 7. I followed the Wiki instructions on how to create the server. I am using sernet-samba 4.2 binaries. Everything seems to be OK on the Linux side but I cannot get any windows client to successfully join the domain. Each attempt returns the following error message "RPC Server in not available". Below are the config file

HI I have something in /var/log/audit/audit.log like: avc: denied { write } for pid=23739 comm="httpd" name="renderd.sock" dev=dm-0 ino=1183752 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file use audit2allow it generates something like this: allow httpd_t var_run_t:sock_file write; Is the rule too liberal? that means httpd_t can write any var_run_t 's sock_file? Or I miss-understand something? Should it only allow httpd_t to write this specific render.sock...

Hi, I guess this is a bit OT but perhaps someone has encountered this issue before. On a CentOS 6.3 x86_64 box I have installed postfix and dspam from EPEL. Dspam is configured to listen on port 10026. After having configured dspam and postfix I start dspam and then postfix and I see the following AVC message in audit.log: type=AVC msg=audit(1350920492.936:400): avc: denied { name_bind }

...llowing policy to get rid of all of the errors in the audit log: module local_postfix 1.0; require { type postfix_etc_t; type home_root_t; type apmd_t; type setrans_t; type port_t; type etc_mail_t; type snmpd_t; type tmp_t; type dovecot_deliver_t; type postfix_smtp_t; type nfs_t; type var_run_t; type usr_t; type httpd_t; type audisp_t; type postfix_cleanup_t; type inetd_t; type portmap_t; type postfix_pickup_t; type hald_t; type getty_t; type avahi_t; type etc_t; type sysctl_kernel_t; type unconfined_t; type init_t; type auditd_t; type lib_t; type dovecot_auth_t; type sy...

...apply partial context to unlabeled file /var/run/puppet ; change from absent to object_r failed: Execution of ''/usr/bin/chcon -h -r object_r /var/run/puppet'' returned 1: /usr/bin/chcon: can''t apply partial context to unlabeled file /var/run/puppet ; change from absent to var_run_t failed: Execution of ''/usr/bin/chcon -h -t var_run_t /var/run/puppet'' returned 1: /usr/bin/chcon: can''t apply partial context to unlabeled file /var/run/puppet ; change from absent to s0 failed: Execution of ''/usr/bin/chcon -h -l s0 /var/run/puppet'' retu...

...ype semanage_t; type init_t; type system_cronjob_t; type mysqld_t; type syslogd_t; type apmd_t; type initrc_t; type postfix_local_t; type puppet_etc_t; type setfiles_t; type rpm_t; type unlabeled_t; type var_run_t; type kernel_t; type puppet_var_run_t; type puppet_var_lib_t; type auditd_t; type httpd_t; type rpm_var_lib_t; type postfix_cleanup_t; type postfix_master_t; type inetd_t; type udev_t; type mysqld_safe_t;...

...============= chroot_user_t ============== allow chroot_user_t cyphesis_port_t:tcp_socket name_connect; allow chroot_user_t user_home_t:chr_file open; #============= syslogd_t ============== #!!!! The source type 'syslogd_t' can write to a 'dir' of the following types: # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t allow syslogd_t user_home_t:dir write; My questions are: Do SE booleans settings exist that permit chrooted ssh acc...

...ror from log when a user run its web browser and ask for a user/password: Jan 18 12:12:16 brain kernel: audit(1106071936.271:0): avc: denied { getattr } for pid=17126 exe=/usr/bin/ntlm_auth path=/var/run/winbindd/pipe dev=hda7 ino=108681 scontext=root:system_r:squid_t tcontext=root:object_r:var_run_t tclass=sock_file this are the permissions on the /var/cache/samba: -rw------- 1 root root 8192 ene 13 00:02 account_policy.tdb -rw-r--r-- 1 root root 8192 ene 17 08:52 brlock.tdb -rw-r--r-- 1 root root 695 ene 18 12:13 browse.dat -rw-r--r-- 1 root root 16384 ene 14 08:00 connections.td...

...e) suggests ******************* If you want to allow systemd-readahe to have add_name access on the .readahead.new directory Then you need to change the label on .readahead.new Do # semanage fcontext -a -t FILE_TYPE '.readahead.new' where FILE_TYPE is one of the following: device_t, init_var_run_t, readahead_var_lib_t, readahead_var_run_t, root_t, var_run_t. Then execute: restorecon -v '.readahead.new' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that systemd-readahe should be allowed add_name access on the .readahead.new directory...