similar to: CentOS 7 selinux policy bug

Hi, folks, CentOS 7.1. Selinux policy, and targetted, updated two days ago. May 28 17:02:41 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/bash.#012#012***** <...> May 28 17:02:45 <servername> python: SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/uname.#012#012***** <...> May 28 17:02:45

What is your environment set up for? Is this just straight out of the box, or have you harden the systems any? -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Earl A Ramirez Sent: Friday, May 29, 2015 10:53 AM To: CentOS mailing list Subject: Re: [CentOS] CentOS 7 selinux policy bug On 29 May 2015 at 16:27, <m.roth at

On 29 May 2015 at 16:27, <m.roth at 5-cent.us> wrote: > Hi, folks, > > CentOS 7.1. Selinux policy, and targetted, updated two days ago. > > May 28 17:02:41 <servername> python: SELinux is preventing /usr/bin/bash > from execute access on the file /usr/bin/bash.#012#012***** <...> > May 28 17:02:45 <servername> python: SELinux is preventing

Am 09.09.2018 um 16:19 schrieb Daniel Walsh <dwalsh at redhat.com>: > > On 09/09/2018 09:43 AM, Leon Fauster via CentOS wrote: >> Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: >>> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >>>> Any SElinux expert here - briefly: >>>> >>>> # getenforce

On 09/09/2018 09:43 AM, Leon Fauster via CentOS wrote: > Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: >> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >>> Any SElinux expert here - briefly: >>> >>> # getenforce >>> Enforcing >>> >>> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t

I recently setup my Puppetmaster server to run through Passenger via Apache instead of on the default webrick web server. SELinux made that not work and I've found some documentation on making rules to allow it however mine won't load. This is the policy I found via this website, http://sandcat.nl/~stijn/2012/01/20/selinux-passenger-and-puppet-oh-my/comment-page-1/ . module

Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>: > > On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >> Any SElinux expert here - briefly: >> >> # getenforce >> Enforcing >> >> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >> <no output> >> >> # sesearch -ACR -s httpd_t -c file

Not a problem ... sharing a solution (this time)! Please correct my understanding of the process, if required. "i_stream_read() failed: Permission denied" is an error message generated when a large-ish file (>128kb in my case) is attached to a message that has been passed to Dovecot's deliver program when SELinux is being enforced. In my case, these messages are first run

On Thursday, August 21, 2014 12:00:03 centos-request at centos.org wrote: > Re: [CentOS] SELinux vs. logwatch and virsh > From: Daniel J Walsh <dwalsh at redhat.com> > To: CentOS mailing list <centos at centos.org> > > On 08/18/2014 02:13 PM, Bill Gee wrote: > > Hi Dan - > > > > "ausearch -m avc -ts recent" produces no output. If I run it

Hello List, after the last update I have a selinux "Problem" with dovecot. My system is a centos 7. After a new start from dovecot selinux block a connection. Jul 12 16:24:24 mx01 systemd: Starting Dovecot IMAP/POP3 email server... Jul 12 16:24:54 mx01 systemd: Started Dovecot IMAP/POP3 email server. Jul 12 16:24:54 mx01 dovecot: Warning: Corrected permissions for login directory

Looks like turning on three booleans will solve most of the problem. httpd_execmem, httpd_run_stickshift, allow_httpd_anon_write On 12/03/2014 03:55 AM, John Beranek wrote: > Mark: Labels look OK, restorecon has nothing to do, and: > > -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /bin/ps > > dr-xr-xr-x. root root system_u:object_r:proc_t:s0 /proc > > I'll

Indeed, thanks Dan - it doesn't get us to a completely clean running that would allow us to run our Node app as we are under Passenger with SELinux enforcing, but it at least has stopped the excessive amount of AVCs we were getting. John On 3 December 2014 at 10:01, Daniel J Walsh <dwalsh at redhat.com> wrote: > Looks like turning on three booleans will solve most of the problem.

Daniel Walsh wrote: > On 09/22/2017 06:58 AM, hw wrote: >> >> PS: Now I found this: >> >> >> type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp >> type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1

Mark: Labels look OK, restorecon has nothing to do, and: -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /bin/ps dr-xr-xr-x. root root system_u:object_r:proc_t:s0 /proc I'll send the audit log on to Dan. Cheers, John On 2 December 2014 at 16:10, Daniel J Walsh <dwalsh at redhat.com> wrote: > Could you send me a copy of your audit.log. > > You should not be

Hi Leon, I don't have access to a CentOS 6.10 system handy, but it looks like a policy issue. If I take you're ausearch output and pipe it to audit2allow on my CentOS 7.6 system, I get the following: #============= httpd_t ============== #!!!! This avc is allowed in the current policy allow httpd_t httpd_sys_script_t:process signull; Noting that on my 7.6 system with selinux enforcing

On 09/22/2017 06:58 AM, hw wrote: > > PS: Now I found this: > > > type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : > proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp > type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 > syscall=setgroups success=no exit=EPERM(Operation not permitted) > a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300

PS: Now I found this: type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root

Johnny Hughes wrote: > On 09/20/2017 07:19 AM, hw wrote: >> hw wrote: >>> >>> Hi, >>> >>> how do I allow CGI programs to print (using 'lpr -P some-printer >>> some-file.pdf') when >>> lighttpd is being used for a web server? >>> >>> When selinux is permissive, the printer prints; when it?s enforcing,

I'm experimenting with tor hidden services and got it to work nicely on my Centos7, with tor from epel. That is, until I booted the machine. Then SELinux kicked in and in the logs there's? [warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied The permissions are drwx------.??2 toranon toranon????4096 Jan 28 23:39 hidden_service And SELinux gives the following

I am seeing these in the log of one of our off-site NX hosts running CentOS-6.6. type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket Was caused by: Missing type enforcement (TE) allow rule. You can use