similar to: CentOS 7, selinux issue

Hi, folks, Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then deletes it when the log out. selinux (in permissive mode) complains. First, I changed the context to cert_t, and *now* it complains that ksh93 wants write, etc access on the directory. grep ssh-x509-auth /var/log/audit/audit.log | audit2allow offers me this: #============= sshd_t ============== allow sshd_t

Two issues: first, I've noticed a number of times that selinux is there, which we usually have in permissive, but setroubleshoot is *not* installed. Is there be some kind of dependency or group that it should be part of that's missing? I don't see why I need to manually install it.... Second - and I thought I knew the answer to this, but guess I don't - I see AVC's in the log

Mark: Labels look OK, restorecon has nothing to do, and: -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /bin/ps dr-xr-xr-x. root root system_u:object_r:proc_t:s0 /proc I'll send the audit log on to Dan. Cheers, John On 2 December 2014 at 16:10, Daniel J Walsh <dwalsh at redhat.com> wrote: > Could you send me a copy of your audit.log. > > You should not be

I'm setting up a dedicated database server, and since this will be a central service to my various web servers I wanted it to be as secure as possible...so I am leaving SELinux enabled. However I'm having trouble getting Apache to use mod_auth_pam. I also now can't get setroubleshootd working to send me notifications of the denials and provide tips to solve the problem. The Apache

I'll jump in here to say we'll try your suggestion, but I guess what's not been mentioned is that we get the setroubleshoot abrt's only a few times a day, but we're getting 10000s of setroubleshoot messages in /var/log/messages a day. e.g. Dec 2 10:03:55 server audispd: queue is full - dropping event Dec 2 10:04:00 server audispd: last message repeated 199 times Dec 2

Indeed, thanks Dan - it doesn't get us to a completely clean running that would allow us to run our Node app as we are under Passenger with SELinux enforcing, but it at least has stopped the excessive amount of AVCs we were getting. John On 3 December 2014 at 10:01, Daniel J Walsh <dwalsh at redhat.com> wrote: > Looks like turning on three booleans will solve most of the problem.

CentOS-6.5 OpenDKIM-2.9.0 (epel) Postfix-2.6.6 (updates) I am trying to get opendkim working with our mailing lists. In the course of that endeavour I note that these messages are appearing in our syslog: May 4 20:50:02 inet08 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from using the signull access on a process. For complete SELinux messages. run sealert -l

CentOS 6.3. *Just* updated, including most current selinux-policy and selinux-policy-targeted. I'm getting tons of these, as in it's just spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps from search access on the directory @2. For complete SELinux messages. run sealert -l d92ec78b-3897-4760-93c5-343a662fec67

Hey, I am in the process of trying (and convincing my colleagues) to learn/setup selinux as we switch to 6.0... Quick question: do I really "need" to install the setools/setroubleshoot packages or can I live without them?? They want to install 80 packages (gnome stuff, gstreamer, gtk, tcl/tk...) and I would like to avoid installing all sort of graphical tools/libs on my lean

As this remains an issue for me, I'm reposting. Please forgive the redundancy, but I've been unable to find the answer and am hoping for some guidance. Thanks in advance, ~Ray ==========Original Posts follow========== (full output is in the original thread) Ray Leventhal wrote: > > Hi all, > > > > On my newly up-and-running nameserver (CentOS 5), I noticed the >

Hi! ---- Is there any interest to turn the "zfs" utility (to clarify: This is about a change in the "zfs" utility itself, not about any "language bindings" etc.) from it''s (currently) "homegrown" command-line parsing code over to ksh93/libshell.so (this has been proposed by Amersham/GE Healthcare staff a while ago for the original

I generated a new host key for one of our systems using: ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key_4096 I then ran 'ls -Z on the keys' ll -Z *key* -rw-------. root root system_u:object_r:sshd_key_t:s0 ssh_host_dsa_key -rw-r--r--. root root system_u:object_r:sshd_key_t:s0 ssh_host_dsa_key.pub -rw-------. root root system_u:object_r:sshd_key_t:s0 ssh_host_key -rw-r--r--. root

I am seeing these in the log of one of our off-site NX hosts running CentOS-6.6. type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket Was caused by: Missing type enforcement (TE) allow rule. You can use

Hi all, On my newly up-and-running nameserver (CentOS 5), I noticed the following alerts in /var/log/messages after restarting BIND. (lines inserted to aid in reading). As I'm new to SELinux, I'm hoping for some pointers on 1) if this is an issue which simply *must* be addressed, or if it's something I should live with, and 2) how to eliminate the warming messages without sacrificing

Dear my friends... Anybody would be so nice for telling me the solution of my problem. My Apache2 can not start. I find this error in /var/log/messages: Nov 7 14:20:47 cencen setroubleshoot: SELinux is preventing httpd from loading /usr/local/apache/modules/libphp5.so which requires text relocation. For complete SELinux messages. run Realertrag -l 077ac3bc-5f20-4954-99c3-a754f9cd7df2 I've

We are currently running libxml2-2.7.6-14.el6_5.2.x86_64 How far back would you suggest we go? would libxml2-2.7.6-14.el6_5.1.x86_64 be sufficient -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Daniel J Walsh Sent: 01 December 2014 15:10 To: CentOS mailing list Subject: Re: [CentOS] SEtroubleshootd Crashing I am not sure. I was

Hi, I recently discovered setroubleshoot, a wonderful tool that helps diagnose and resolve selinux problems, even if you really do not understand selinux. I need to read up on selinux and get to where I understand it much better. I'm wondering if there is a text only version of setroubleshoot that runs on a minimal server configuration without X installed? -- Drew Einhorn --------------

When running Node.js through Phusion Passenger on Centos 6.5 ( Linux 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux), with SELinux enabled in permissive mode we receive a large number of entries in the audit.log and setroubleshootd randomly crashes with the following error, We have resolved the selinux alerts by following the troubleshooting steps

Thanks Could you please clarify, which version libxml is broken and has there been a newer version released that will fix it. -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Daniel J Walsh Sent: 01 December 2014 14:58 To: CentOS mailing list Subject: Re: [CentOS] SEtroubleshootd Crashing This seems to be a problem with an updated

On Tue, February 10, 2015 04:18, Andrew Holway wrote: > On 10 February 2015 at 06:32, Mark Tinberg <mark.tinberg at wisc.edu> > wrote: > >> >> > On Feb 9, 2015, at 12:27 PM, Robert Nichols >> <rnicholsNOSPAM at comcast.net> >> wrote: >> > >> > On 02/09/2015 11:14 AM, James B. Byrne wrote: >> >> So, I decided to run