Displaying 20 results from an estimated 3000 matches similar to: "SEmodule dependency hell."
2015 Apr 01
1
SEmodule dependency hell.
I want you all to see what I went through trying to simply reassign
(unsuccessfully) the context of a well-known port.
To the best of my ability to recall none of the packages mentioned
below are even installed on the host in question. Why are these
dependices preventing me from removing a disused SELinux policy.
I have done exactly that, reassign port contexts, in the past without
encountering
2015 Apr 02
0
SEmodule dependency hell.
File a bug!!!
On 2 April 2015 at 16:20, James B. Byrne <byrnejb at harte-lyne.ca> wrote:
>
> On Wed, April 1, 2015 16:09, Andrew Holway wrote:
> > I used the command: semanage port -m -t http_port_t -p tcp 8000
> > to relabel a port. perhaps you could try:
> > "semanage port -m -t unconfined_t -p tcp 8000"
> > Failing that; would it work to run your
2018 Sep 09
1
Type enforcement / mechanism not clear
On 09/09/2018 07:19 AM, Daniel Walsh wrote:
> sesearch -A -s httpd_t -t system_conf_t -p read
>
> If you feel that these files should not be part of the base_ro_files
> then we should open that for discussion.
I think the question was how users would know that the policy allowed
access, as he was printing rules affecting httpd_t's file read access,
and looking for
2017 Sep 29
1
[Fwd: Re: [HEADS UP] Default value of SELinux boolean httpd_graceful_shutdown will changed.]
---------------------------- Original Message ----------------------------
Subject: Re: [HEADS UP] Default value of SELinux boolean
httpd_graceful_shutdown will changed.
From: "Lukas Vrabec" <lvrabec at redhat.com>
Date: Fri, September 29, 2017 10:26
To: devel at lists.fedoraproject.org
"Selinux List at Fedora Project" <selinux at
2019 Feb 19
3
elasticsearch connection refused
On Tue, 2019-02-19 at 14:17 +0000, Laack, Andrea P wrote:
> Selinux will not allow connections on other than default http ports.
>
> semanage port -m -t http_port_t -p tcp 9200
It's not a web server port - elasticsearch is a database.
P.
2017 Sep 04
5
selinux denial of cgi script with httpd using ssl
Thanks for your help.
I did pick up an additional entry in the audit file :
type=AVC msg=audit(1504561395.709:10196): avc: denied { execute } for
pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
ino=537182029 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
Unfortunately, I am not sure how the
2012 Feb 16
3
Baffled by selinux
Apache DocumentRoot on an NFS directory:
[root at localhost ~]# service httpd start
Starting httpd: Warning: DocumentRoot [/home/www/html] does not exist
Syntax error on line 292 of /etc/httpd/conf/httpd.conf:
DocumentRoot must be a directory
[FAILED]
[root at localhost ~]#
After some research, I found this (dated) link
2011 Jun 02
2
How to set selinux policy "allow httpd_t unconfined_t:shm { unix_read unix_write }; " using an seboolean? (How to get a new seboolean?)
Hi. I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled,
and audit.log / audit2allow tell me I need to add the local policy:
#============= httpd_t ==============
allow httpd_t unconfined_t:shm { unix_read unix_write };
which I think will allow the httpd access to read and write from shared memory?
Is that right? What are the risks involved in opening this? I notice it is
2019 Feb 19
3
elasticsearch connection refused
Am 19.02.2019 um 13:55 schrieb Ionut Hoza:
> Hi Ralf,
>
> You should check you firewall configuration ... most probably you need to
> allow port 9200.
> Also check if elasticsearch service is listening on all interfaces or just
> localhost (127.0.0.1).
Hallo,
the firewall is disabled.
I tried several variations in the config-file.
0.0.0.0
192.168.242.4
Only 127.0.0.1 is
2009 Oct 04
2
deliver stopped working
Hi:
I have been using Dovecot for well over a year now and it has always worked with few
problems. The mail setup is not simple...
Postfix+MailScanner+ClamAV+Docvecot+MySql+postfix.admin... just to mention the major
things. The system is CentOS 5.3 on VMware. The maildir is on an NFS share, index and
control is local.
About a month ago I thought I upgraded from 1.1.x to 1.2.x. by doing an
2015 Mar 05
1
SELinux kills Cassandra based website
Hi Jeremy,
An easy way to start troubleshooting these is to look at the audit logs and
> see what SELInux is blocking. You have /McFrazier in the email.. if that's
> off the root tree than unless you've set permissions to allow httpd to look
> at tat folder, I bet that's one problem.
> if you run ls -Z you can see the labels that are present on those folders,
> that
2014 Jan 13
1
Re: Livecd-creator is disabling selinux
[Moving this to the libguestfs mailing list]
On Mon, Jan 13, 2014 at 03:05:14PM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/13/2014 11:49 AM, Richard W.M. Jones wrote:
> > On Mon, Jan 13, 2014 at 10:20:22AM -0500, Daniel J Walsh wrote:
> >> Secondly we prevent even unconfined_t from putting down labels on the
> >>
2015 Apr 01
0
SELinux on CentOS-6.6
I wish to reuse ports 80 and 443 for a different service. When I try
to assign the port context for that service I get this:
/usr/sbin/semanage: Port tcp/80 already defined
When I try to delete the assigned context then I get this:
semanage port -d -t http_port_t -p tcp 80
/usr/sbin/semanage: Port tcp/80 is defined in policy, cannot be deleted
httpd is not installed on this host. But looking
2005 Nov 15
2
SELinux on CentOS4
I regret the delay in replying to this topic but I am a digest
subscriber so I only see list traffic once every 24 hours.
When I moved from RHES3 to CentOS4 back in April/May of this year I
was bitten by the SELinux gnat as well, and the temptation to swat
a distracting irritation by killing it in its bed nearly proved
irresistible. However, taking to heart the advice given to me here
and
2017 Sep 23
2
more selinux problems ...
Hi,
how do I allow lighttpd access to a directory like this:
dr-xrwxr-x. lighttpd example unconfined_u:object_r:samba_share_t:s0 files_articles
I tried to create and install a selinux module, and it didn?t work.
The non-working module can not be removed, either:
semodule -r lighttpd-files_articles.pp
libsemanage.semanage_direct_remove_key: Unable to remove module lighttpd-files_articles.pp at
2015 Mar 05
2
SELinux kills Cassandra based website
Hey all,
There's a website I help run that uses the Cassandra DB as its database. I
notice that if I run the web server in SELinux permissive mode, the site
works fine. But if I put it into enforcing mode, the site goes down with
this error:
Warning: require_once(/McFrazier/PhpBinaryCql/CqlClient.php): failed to
open stream: Permission denied in
2015 Jun 16
2
selinux allow apache log access
Hey guys,.
I have a centos 7 machine I'm using as a zabbix server. And I noticed that
apache won't start, with this complaint in the error log:
(13)Permission denied: AH00091: httpd: could not open error log file
/var/log/zabbix_error_log.
AH00015: Unable to open logs
I tried having a look at audit2allow and this is the response I get back:
[root at monitor2:/etc/httpd] #grep http
2019 Jan 18
1
SElinux AVC signull
Hi Leon,
I don't have access to a CentOS 6.10 system handy, but it looks like a
policy issue. If I take you're ausearch output and pipe it to
audit2allow on my CentOS 7.6 system, I get the following:
#============= httpd_t ==============
#!!!! This avc is allowed in the current policy
allow httpd_t httpd_sys_script_t:process signull;
Noting that on my 7.6 system with selinux enforcing
2018 Mar 20
2
selinux: how to allow access?
On Tue, 20 Mar 2018 13:07:12 +0100
hw <hw at gc-24.de> wrote:
...
> So what do you really gain from selinux, and is that worthwhile all
> the trouble and the hours spent to fix the problems it creates? What
> about the impact on performance?
The main feature is that lots of software is indeed confined (even
though your normal login or desktop remains unconfined).
This is exactly
2015 Feb 10
2
SELinux context for ssh host keys?
On Tue, February 10, 2015 04:18, Andrew Holway wrote:
> On 10 February 2015 at 06:32, Mark Tinberg <mark.tinberg at wisc.edu>
> wrote:
>
>>
>> > On Feb 9, 2015, at 12:27 PM, Robert Nichols
>> <rnicholsNOSPAM at comcast.net>
>> wrote:
>> >
>> > On 02/09/2015 11:14 AM, James B. Byrne wrote:
>> >> So, I decided to run