similar to: selinux on/off percentage

I've got a CentOS 6 machine that's slated to go into production providing some web and development-repository services. Part of the environment is gitweb, which works as expected with one glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who owns the repositories. The audit log entries are pretty straightforward, e.g., type=AVC msg=audit(XXXXXXXXXXXX): avc:

I'm copying a file into a VM using virt-copy-in - which is great, but the file is wrongly labeled. How can I fix that? TIA, Y.

libselinux defaults to "targeted" when no SELINUXTYPE is specified in /etc/config/selinux. Hence do the same here, instead of failing because of the missing key. Add a slow test for checking SELinux relabeling on a Fedora 27 guest, both with no changes, and with a modified configuration. --- customize/Makefile.am | 2 ++ customize/SELinux_relabel.ml | 14 ++++++++++--

Hi, On an internal webserver (latest C6) I want smb-access to /var/www/html/ In april I did chcon -R -t public_content_rw_t /var/www/html/ setsebool -P allow_smbd_anon_write 1 setsebool -P allow_httpd_anon_write 1 echo "/var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0" >> /etc/selinux/targeted/contexts/files/file_contexts After the latest round

Hey folks, Ok so I'm having another issue with SELinux. However I think I'm pretty close to a solution and just need a nudge in the right directtion. I wrote a puppet module that gets systems into bacula backups. Part of the formula is to distribute key/cert pairs with permissions that allow bacula to read them so that bacula can talk to the host over TLS. It's pretty slick, I must

On Sun, Dec 24, 2017 at 3:49 PM, Richard W.M. Jones <rjones@redhat.com> wrote: > On Sun, Dec 24, 2017 at 02:15:44PM +0200, Yaniv Kaul wrote: > > I'm copying a file into a VM using virt-copy-in - which is great, but the > > file is wrongly labeled. > > How can I fix that? > > Hi Yaniv, > > The easiest thing is to run this after doing the virt-copy-in:

Out of faint curiosity, how do we push change requests upstream to RHEL? I'm using puppet to automate systems, including the application of SELinux policy. While setsebool -P is non-damaging to repeat, it is time consuming -- taking about 45 seconds per execution to process the existing policy and re-commit to disk. I'd like a simple ability to put an unless in the execution of

On Tuesday 27 May 2014 09:08:27 Richard W.M. Jones wrote: > On Mon, May 26, 2014 at 11:21:59AM +0200, Pino Toscano wrote: > > Rewrite the relabel API to read the policy configured in the guest, > > invoking setfiles (added as part of the appliance, as part of > > policycoreutils) to relabel the specified root. In case of failure > > at > > any point of the process,

SELinux appears to be interfering with winbind's functionality. I have the lastest policy package installed: selinux-policy-targeted-1.17.30-2.149 which allegedly solves this problem according to the RedHat knowledge base, but clearly does not. I have to turn off SELinux by using setenforce 0 (permissive) to get winbind to work at all, and based on what I see in the log files,

Has the "selinux --disabled" line for kickstart files been depreciated? ? ? My CentOS 6.6 kickstart file contains the line: selinux --disabled After the install completes, SELinux is enabled instead of disabled. /etc/selinux/config contains "SELINUX=enforcing" instead of "SELINUX=disabled". ? Thanks, Charlie

---------------------------- Original Message ---------------------------- Subject: Re: [HEADS UP] Default value of SELinux boolean httpd_graceful_shutdown will changed. From: "Lukas Vrabec" <lvrabec at redhat.com> Date: Fri, September 29, 2017 10:26 To: devel at lists.fedoraproject.org "Selinux List at Fedora Project" <selinux at

2015-03-03 0:43 GMT+02:00 Tim Dunphy <bluethundr at gmail.com>: > > > > errr, I meant, sftp, not rscp > > > Heh.. yeah. But the client isn't gonna go for that. LOL. Any way to allow > regular ol' FTP using SELinux? Or does that just defeat the purpose of > having a secure SELlinux server entirely? > FTP is not safe as it does not encrypt username(s)

[ I realized that we were discussing adding this feature, in various private email, IRC, and this long bugzilla thread: https://bugzilla.redhat.com/show_bug.cgi?id=1060423 That's not how we should do things. Let's discuss it on the mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment

To set selinux to permissive or disabled mode during a kickstart installation, add the sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' /etc/selinux/config command to the %post section of the kickstart file. Making sure to replace "permissive" with the required selinux mode. -- https://bugzilla.redhat.com/show_bug.cgi?id=435300 On 26 May 2015 at 04:40, Rob Kampen <rkampen at

On 04/12/2016 02:31 PM, James Hogarth wrote: > For example: > > unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on > &> /dev/null" D'oh! That's what I get for overcomplicating the whole darn thing. :) > > Incidentally one nice trick if you're dealing with potentially changing > multiple booleans and the policy compile

Having problems starting httpd & portmapper #service httpd start /usr/sbin/httpd: error while loading shared libraries: libm.so.6: cannot open shared object file: No such file or directory and I traced it to selinux, which I had just turned on for the first time: # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode:

This shows which files are being relabelled. Also only use -q (suppress non-error output) when we are not verbose. --- daemon/selinux-relabel.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c index 2f48ee6..e7da42d 100644 --- a/daemon/selinux-relabel.c +++ b/daemon/selinux-relabel.c @@ -112,8 +112,11 @@

Hello All After recent system upgrade (this night) i lost access to two servers through SSH, because of change in SELinux policy - i have ssh there on different port and now it's gone. Thanks to puppet i was able to change SSH port back to default and log in, but is this expected behavior? I thought minor upgrade shouldn't break up things? Or maybe "semanage port -a -t ssh_port_t

Which manual? This could actually be the root of the issue. https://bugs.centos.org/view.php?id=7910 On 26 May 2015 at 07:56, Jeremy Hoel <jthoel at gmail.com> wrote: > If the decision was made around the 4.8 time period to not fix the problem, > why in v6 is it still listed in the manual as being a valid option? > > On Mon, May 25, 2015 at 11:49 PM, Andrew Holway

At work I'm used to tools like eTrust Access Control (aka SEOS). eTrust takes away the ability to manage the eTrust config from root and puts it in the hands of "security admin". So there's a good separation of duties; security admin control the security ruleset, but are limited by the OS permissions (so even if they granted themselves permission to modify /etc/shadow, the