similar to: [PATCH] Add 'setcon', 'getcon' commands to set and get the SELinux context

This is continuing/summarising a rather long discussion that happened on IRC ... We talked to some SELinux experts about what was required to make SELinux work with libguestfs, and it seems reasonably simple to load the policy from the guest filesystem. All that needs to be done is to mount the guest disks up and then run: sh "/usr/sbin/load_policy -i" That command also mounts up

Inspired by something Glauber asked me about today, I made a very simple pair of patches which add a 'virt-rescue' command to libguestfs. This uses the appliance as a "rescue appliance", so people can boot into a disk image and repair it in an unstructured, interactive way. (Specifically, Glauber's question was how to run fsck interactively - with this patch you could do

Hello, This is somehow off-topic, since the problem appears on a modified CentOS-6.2 (turned into a xen-4.1 host) : I get SELinux errors, and I'm not able to understand them. From audit2why : type=AVC msg=audit(1343724164.898:298772): avc: denied { mac_admin } for pid=12399 comm="restore" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

On 07/22/2013 11:12 AM, Daniel P. Berrange wrote: > On Mon, Jul 22, 2013 at 11:08:07AM -0400, Matt Hicks wrote: >> Warning - I'm fairly new to libvirt, lxc and systemd so there is a >> good chance I'm doing something terribly wrong here. However, >> instead of continuing to struggle, I figured I would mail the list >> for some advice. What I'm trying to

Hey CentOS folks! I have an interesting issue with starting a server on a CentOS 6 KVM guest. The server (service) in particular is gotour, which is a web application created by Google and their Golang developers, intended to teach users the basics of using the Go programming langauge. When starting gotour, the program claims to be binding to port 12049, but the VM doesn't seem to be serving

Hi, I wanted just to ask an additional question to that: how then here in the polkit documentation you distinguish users?: Consider a local user berrange who has been granted permission to connect > to libvirt in full read-write mode. > 2018-04-12 11:01 GMT+03:00 Erik Skultety <eskultet@redhat.com>: > On Thu, Mar 22, 2018 at 08:17:15PM +0300, Anastasiya Ruzhanskaya wrote: >

I recently setup my Puppetmaster server to run through Passenger via Apache instead of on the default webrick web server. SELinux made that not work and I've found some documentation on making rules to allow it however mine won't load. This is the policy I found via this website, http://sandcat.nl/~stijn/2012/01/20/selinux-passenger-and-puppet-oh-my/comment-page-1/ . module

Hello everyone, I have a question about logging. I need to find out whether it is possible to see user id/session id inside logs or somewhere else. It is not passed in structured across the network, so where should I look to find out, which user (which session) is currently performing the actions?

Hi: I have been using Dovecot for well over a year now and it has always worked with few problems. The mail setup is not simple... Postfix+MailScanner+ClamAV+Docvecot+MySql+postfix.admin... just to mention the major things. The system is CentOS 5.3 on VMware. The maildir is on an NFS share, index and control is local. About a month ago I thought I upgraded from 1.1.x to 1.2.x. by doing an

Hi, I have encountered problem running virsh as non-root user. I am using eucalyptus software on top of KVM, eucalyptus requires to run virsh as non-root user. I've found that people had similiar issue posted in the list, but I didn't find the solution. I've tried few things. 1) put user eucalyptus in the libvirt group. 2) even changed owner /var/run/libvirt/libvirt-sock to

Warning - I'm fairly new to libvirt, lxc and systemd so there is a good chance I'm doing something terribly wrong here. However, instead of continuing to struggle, I figured I would mail the list for some advice. What I'm trying to accomplish is a libvirt-lxc, systemd-based container running on my system (Fedora 19). I've read that sharing the underlying OS filesystem with

Andreas- On Thu, Apr 3, 2008 at 8:31 AM, Andreas Rogge <a.rogge@solvention.de> wrote: > Do you have SELinux enabled? When starting puppet from init.d with SELinux enabled it runs in xinitrc_t while it should (at least imo) run in unconfined_t. Running in xinitrc_t lead to *really* strange things. Everything way fixed once I deployed a policy that made puppetd run in unconfined_t. >

Hi All, Thanks for the information. But after resetting the semanage User/login, and moving the targeted folder to old one and then install the default target. then also its still showing the Id context as context=*system_u:system_r:unconfined_t:s0-s0:c0.c1023.* *What I observed is after changing the permission using semanage command also, its still showing the system_u:system_r. * *Check the

Hey folks, I have a problem with the definition of a variable of type slist in CFEngine on # uname -a ; cat /etc/redhat-release Linux policyhub.example.com 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux CentOS Linux release 7.4.1708 (Core) I'm not sure if its valid to ask CFEngine questions on this mailing list, but as far as I'm running on

[Moving this to the libguestfs mailing list] On Mon, Jan 13, 2014 at 03:05:14PM -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/13/2014 11:49 AM, Richard W.M. Jones wrote: > > On Mon, Jan 13, 2014 at 10:20:22AM -0500, Daniel J Walsh wrote: > >> Secondly we prevent even unconfined_t from putting down labels on the > >>

Hi folks, I've been googling for an hour on this which seems to be awfully basic. But I cannot find anything definitive. [root at centos-gig ~]# systemctl enable smb.service Failed to execute operation: Access denied [root at centos-gig ~]# setenforce 0 [root at centos-gig ~]# systemctl enable smb.service Failed to execute operation: No such file or directory Have tried things like : chcon

Hi. I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled, and audit.log / audit2allow tell me I need to add the local policy: #============= httpd_t ============== allow httpd_t unconfined_t:shm { unix_read unix_write }; which I think will allow the httpd access to read and write from shared memory? Is that right? What are the risks involved in opening this? I notice it is

Hi folks, I've been googling for an hour on this which seems to be awfully basic. But I cannot find anything definitive. [root at centos-gig ~]# systemctl enable smb.service Failed to execute operation: Access denied [root at centos-gig ~]# setenforce 0 [root at centos-gig ~]# systemctl enable smb.service Failed to execute operation: No such file or directory Have tried things like : chcon

With a recent update of CentOS4, su's behavior has changed, in that after prompting for password, also prompts for (selinux?) context. I'm seeing something like: $ su Password: Your default context is root:system_r:unconfined_t. Do you want to choose a different one? [n] kde's kdesu barfs on this second prompt. Any way to disable this second prompt? -- Rex

hi i just installed my system then shutit down. after booting it up i can't login to root so i did a linux rescue with the CD and when i tried to type passwd this error message appear? "user_u:system_r:unconfined_t is not authorized to change the password of root" -- Regards, Mark Quitoriano, CCNA Fan the flame... http://www.spreadfirefox.com/?q=user/register&r=19441