Displaying 20 results from an estimated 7000 matches similar to: "distributing selinux policy module"
2019 Apr 16
4
Time Synchronisation - SELinux Labeling and Policy
hi, i want set selinux to usw with ntpd
but when i run (as described in wiki)
semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"
i have that error
"
usage: semanage [-h]
{import,export,login,user,port,ibpkey,ibendport,interface,module,node,fcontext,boolean,permissive,dontaudit}
...
semanage: error: argument subcommand: invalid choice:
2008 Aug 10
7
SELinux
Hi list,
I've knocked up a contribution on SELinux here:
http://wiki.centos.org/HowTos/SELinux
I've tried to pitch it as an introduction for those not already familiar
with SELinux but also hopefully a useful reference.
I'm relatively new to SELinux and have covered pretty much everything I
know to the limits of my limited knowledge. If folks think other
material needs to be
2011 Jan 17
1
SELinux : semodule_package, magic number does not match
Hello,
I am trying to create a custom policy, but with no succes :
$ cat <<EOF> foo.te
module local 1.0;
require {
type httpd_sys_script_exec_t;
type httpd_sys_script_t;
class lnk_file read;
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read;
EOF
$ checkmodule -M -m -o foo.mod foo.te
checkmodule:
2015 May 09
1
Q: respecting .ssh/id_rsa
On 8 May 2015 20:41, "Conley, Matthew M CTR GXM" <
matthew.m.conley1.ctr at navy.mil> wrote:
>
> chmod 0700 .ssh
> chmod 0600 .ssh/*
>
> Keys can fail if you don't have that setup correctly.
> Also do:
> grep sshd /var/log/audit/audit.log| audit2allow -m sshd
> # Will let you see what modules it will create.
> grep sshd /var/log/audit/audit.log|
2015 Jun 21
2
puppet files denied by SELinux
Hi all,
Thanks for all your suggestions. Here's where I'm at with this.
Can you give details about your puppetmasterd setup ? it seems that
> you're using Foreman as puppet ENC.
>
Yes, I'm on foreman 1.7.4 and puppet 3.75. You are correct that I'm using
foreman, sorry I hadn't thought to mention it!
> Foreman works fine with selinux enabled : that's what
2015 May 08
2
Q: respecting .ssh/id_rsa
On 5/8/2015 7:22 AM, Valeri Galtsev wrote:
> On Fri, May 8, 2015 8:58 am, James B. Byrne wrote:
>> While attempting to debug something else I ran across this:
>>
>> ssh -vvv somehost
>> . . .
>> debug1: Connection established.
>> debug1: permanently_set_uid: 0/0
>> debug1: identity file /root/.ssh/identity type -1
>> debug1: identity file
2007 May 16
2
selinux-policy-targeted-sources and CentOS 5?
What is the equivelent "selinux-policy-targeted-sources" package in
CentOS 5? It was available in 4.4. Thanks for any help.
--
Jiann-Ming Su
"I have to decide between two equally frightening options.
If I wanted to do that, I'd vote." --Duckman
"The system's broke, Hank. The election baby has peed in
the bath water. You got to throw 'em both out."
2015 Jun 20
2
puppet files denied by SELinux
Hey folks,
Ok so I'm having another issue with SELinux. However I think I'm pretty
close to a solution and just need a nudge in the right directtion.
I wrote a puppet module that gets systems into bacula backups. Part of the
formula is to distribute key/cert pairs with permissions that allow bacula
to read them so that bacula can talk to the host over TLS. It's pretty
slick, I must
2015 Jun 17
2
selinux allow apache log access
>
> Try something like:
> grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix
> semodule -i zabbix.pp
Thanks for your response! However this is what happens when I try to
install the module:
[root at monitor2:~] #semodule -i zabbix.pp
libsepol.print_missing_requirements: zabbix's global requirements were not
met: type/attribute zabbix_t (No such file or directory).
2015 Jun 29
1
puppet files denied by SELinux
I have no idea of the current dependency problem. I think your original
problem was caused by mv'ing files from an nfs share to /etc which
maintained the context. And SELinux prevented puppet from accessing
nfs_t type. If you had just run restorecon on the object it would have
set it back to the correct/default context.
You might want to setup an alias mv "mv -Z"
This changes
2020 Feb 26
3
CentOS 7 : SELinux trouble with Fail2ban
On Feb 26, 2020, at 08:52, Nicolas Kovacs <info at microlinux.fr> wrote:
>
>> Le 26/02/2020 ? 11:51, Nicolas Kovacs a ?crit :
>> SELinux is preventing /usr/bin/python2.7 from read access on the file disable.
>> ***** Plugin catchall (100. confidence) suggests *****
>> If you believe that python2.7 should be allowed read access on the disable file by default.
2020 Feb 26
5
CentOS 7 : SELinux trouble with Fail2ban
Hi,
Some time ago I had SELinux problems with Fail2ban. One of the users on this
list suggested that it might be due to the fact that I'm using a bone-headed
iptables script instead of FirewallD.
I've spent the past few weeks getting up to date with doing things in a more
orthodox manner. So currently my internet-facing CentOS server has a nicely
configured NetworkManager, and
2007 Dec 10
1
SELinux and Perl script using sendmail
I have a webpage feedback form that uses a Perl script to
send e-mails with "| /usr/sbin/sendmail -t". It works
just fine, but SELinux is complaining about it:
SELinux is preventing /usr/sbin/postdrop (postfix_postdrop_t)
"getattr" to pipe:[41117] (httpd_t)
I'm a SELinux newb so I don't know what (if anything) to do
about it. Suggestions?
Miark
2015 Jun 16
2
selinux allow apache log access
Hey guys,.
I have a centos 7 machine I'm using as a zabbix server. And I noticed that
apache won't start, with this complaint in the error log:
(13)Permission denied: AH00091: httpd: could not open error log file
/var/log/zabbix_error_log.
AH00015: Unable to open logs
I tried having a look at audit2allow and this is the response I get back:
[root at monitor2:/etc/httpd] #grep http
2015 Jun 17
2
selinux allow apache log access
>
> That's because there's already a zabbix module loaded (the message isn't
> very informative!). I forgot that the received wisdom is to insert "my" in
> front of ones own modules i.e.:
> grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix
> semodule -i myzabbix.pp
Hmm no luck there either:
[root at monitor2:~] #semodule -i myzabbix.pp
2017 Oct 03
2
Please criticize my smb.conf
On 10/03/2017 05:33 AM, Rowland Penny via samba wrote:
> Sorry if some of these sound like teaching your grandmother to suck
> eggs, but it is better to say them than not;-)
>
> Rowland
Hi Rowland,
I appreciate the the help! You did exactly what I
ask for, which was to let it rip.
I will have to read over slowly several times. Be nice
to disable winbind too.
My ego
2015 Jun 17
1
selinux allow apache log access
On 06/17/2015 04:03 PM, Jonathan Billings wrote:
> On Wed, Jun 17, 2015 at 03:30:51PM -0400, Tim Dunphy wrote:
>> No prob! Thanks for all the help! But in searching my system I don't find
>> anything of the sort.
>>
>> [root at monitor2:~] #updatedb
>> [root at monitor2:~] #locate myzabbix.te
>> [root at monitor2:~] #find / -name "myzabbix.*"
2010 Jul 23
1
postgresql copy to and selinux
I need to run a "copy table to '/home/user/dir/copy.txt';" but I get
permission denied. Filesystem dir modes are ok and I get no event
logged in audit.log, but if I setenforce 0, I can do the copy. This
explains auditd silence:
# sesearch --audit |egrep postgres.*home
dontaudit postgresql_t user_home_dir_t : dir { getattr search };
dontaudit postgresql_t home_root_t : dir
2018 Mar 09
3
SELinux breaks Squid's ssl_crtd helper
Hi,
I've setup a transparent HTTP+HTTPS proxy on my server running CentOS 7,
using Squid. Here's my configuration file.
--8<----------------------------------------------------------------
# /etc/squid/squid.conf
# D?finitions
acl localnet src 192.168.2.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port
2013 Sep 17
1
Samba4: Can't create shares outside sysvol and netlogon
Hi,
I am trying to create shares for my users in our new Samba4 domain, but
with no luck so far.
My current /etc/samba/smb.conf looks like this:
[global]
workgroup = ADLS
realm = ADLS.EXAMPLE.COM
netbios name = CASTOR
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes