similar to: SEmodule dependency hell.

I want you all to see what I went through trying to simply reassign (unsuccessfully) the context of a well-known port. To the best of my ability to recall none of the packages mentioned below are even installed on the host in question. Why are these dependices preventing me from removing a disused SELinux policy. I have done exactly that, reassign port contexts, in the past without encountering

File a bug!!! On 2 April 2015 at 16:20, James B. Byrne <byrnejb at harte-lyne.ca> wrote: > > On Wed, April 1, 2015 16:09, Andrew Holway wrote: > > I used the command: semanage port -m -t http_port_t -p tcp 8000 > > to relabel a port. perhaps you could try: > > "semanage port -m -t unconfined_t -p tcp 8000" > > Failing that; would it work to run your

On 09/09/2018 07:19 AM, Daniel Walsh wrote: > sesearch -A -s httpd_t -t system_conf_t -p read > > If you feel that these files should not be part of the base_ro_files > then we should open that for discussion. I think the question was how users would know that the policy allowed access, as he was printing rules affecting httpd_t's file read access, and looking for

---------------------------- Original Message ---------------------------- Subject: Re: [HEADS UP] Default value of SELinux boolean httpd_graceful_shutdown will changed. From: "Lukas Vrabec" <lvrabec at redhat.com> Date: Fri, September 29, 2017 10:26 To: devel at lists.fedoraproject.org "Selinux List at Fedora Project" <selinux at

On Tue, 2019-02-19 at 14:17 +0000, Laack, Andrea P wrote: > Selinux will not allow connections on other than default http ports. > > semanage port -m -t http_port_t -p tcp 9200 It's not a web server port - elasticsearch is a database. P.

Thanks for your help. I did pick up an additional entry in the audit file : type=AVC msg=audit(1504561395.709:10196): avc: denied { execute } for pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0" ino=537182029 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file Unfortunately, I am not sure how the

Apache DocumentRoot on an NFS directory: [root at localhost ~]# service httpd start Starting httpd: Warning: DocumentRoot [/home/www/html] does not exist Syntax error on line 292 of /etc/httpd/conf/httpd.conf: DocumentRoot must be a directory [FAILED] [root at localhost ~]# After some research, I found this (dated) link

Hi. I'm trying to get OTRS running on CentOS 5.5 with SELinux enabled, and audit.log / audit2allow tell me I need to add the local policy: #============= httpd_t ============== allow httpd_t unconfined_t:shm { unix_read unix_write }; which I think will allow the httpd access to read and write from shared memory? Is that right? What are the risks involved in opening this? I notice it is

Am 19.02.2019 um 13:55 schrieb Ionut Hoza: > Hi Ralf, > > You should check you firewall configuration ... most probably you need to > allow port 9200. > Also check if elasticsearch service is listening on all interfaces or just > localhost (127.0.0.1). Hallo, the firewall is disabled. I tried several variations in the config-file. 0.0.0.0 192.168.242.4 Only 127.0.0.1 is

Hi: I have been using Dovecot for well over a year now and it has always worked with few problems. The mail setup is not simple... Postfix+MailScanner+ClamAV+Docvecot+MySql+postfix.admin... just to mention the major things. The system is CentOS 5.3 on VMware. The maildir is on an NFS share, index and control is local. About a month ago I thought I upgraded from 1.1.x to 1.2.x. by doing an

Hi Jeremy, An easy way to start troubleshooting these is to look at the audit logs and > see what SELInux is blocking. You have /McFrazier in the email.. if that's > off the root tree than unless you've set permissions to allow httpd to look > at tat folder, I bet that's one problem. > if you run ls -Z you can see the labels that are present on those folders, > that

[Moving this to the libguestfs mailing list] On Mon, Jan 13, 2014 at 03:05:14PM -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/13/2014 11:49 AM, Richard W.M. Jones wrote: > > On Mon, Jan 13, 2014 at 10:20:22AM -0500, Daniel J Walsh wrote: > >> Secondly we prevent even unconfined_t from putting down labels on the > >>

I wish to reuse ports 80 and 443 for a different service. When I try to assign the port context for that service I get this: /usr/sbin/semanage: Port tcp/80 already defined When I try to delete the assigned context then I get this: semanage port -d -t http_port_t -p tcp 80 /usr/sbin/semanage: Port tcp/80 is defined in policy, cannot be deleted httpd is not installed on this host. But looking

I regret the delay in replying to this topic but I am a digest subscriber so I only see list traffic once every 24 hours. When I moved from RHES3 to CentOS4 back in April/May of this year I was bitten by the SELinux gnat as well, and the temptation to swat a distracting irritation by killing it in its bed nearly proved irresistible. However, taking to heart the advice given to me here and

Hi, how do I allow lighttpd access to a directory like this: dr-xrwxr-x. lighttpd example unconfined_u:object_r:samba_share_t:s0 files_articles I tried to create and install a selinux module, and it didn?t work. The non-working module can not be removed, either: semodule -r lighttpd-files_articles.pp libsemanage.semanage_direct_remove_key: Unable to remove module lighttpd-files_articles.pp at

Hey all, There's a website I help run that uses the Cassandra DB as its database. I notice that if I run the web server in SELinux permissive mode, the site works fine. But if I put it into enforcing mode, the site goes down with this error: Warning: require_once(/McFrazier/PhpBinaryCql/CqlClient.php): failed to open stream: Permission denied in

Hey guys,. I have a centos 7 machine I'm using as a zabbix server. And I noticed that apache won't start, with this complaint in the error log: (13)Permission denied: AH00091: httpd: could not open error log file /var/log/zabbix_error_log. AH00015: Unable to open logs I tried having a look at audit2allow and this is the response I get back: [root at monitor2:/etc/httpd] #grep http

Hi Leon, I don't have access to a CentOS 6.10 system handy, but it looks like a policy issue. If I take you're ausearch output and pipe it to audit2allow on my CentOS 7.6 system, I get the following: #============= httpd_t ============== #!!!! This avc is allowed in the current policy allow httpd_t httpd_sys_script_t:process signull; Noting that on my 7.6 system with selinux enforcing

On Tue, 20 Mar 2018 13:07:12 +0100 hw <hw at gc-24.de> wrote: ... > So what do you really gain from selinux, and is that worthwhile all > the trouble and the hours spent to fix the problems it creates? What > about the impact on performance? The main feature is that lots of software is indeed confined (even though your normal login or desktop remains unconfined). This is exactly

On Tue, February 10, 2015 04:18, Andrew Holway wrote: > On 10 February 2015 at 06:32, Mark Tinberg <mark.tinberg at wisc.edu> > wrote: > >> >> > On Feb 9, 2015, at 12:27 PM, Robert Nichols >> <rnicholsNOSPAM at comcast.net> >> wrote: >> > >> > On 02/09/2015 11:14 AM, James B. Byrne wrote: >> >> So, I decided to run