similar to: SELinux C7 audit

On 07/05/2016 08:21 AM, Alessandro Baggi wrote: > What are the meaning of rules on pol.te https://wiki.centos.org/HowTos/SELinux The CentOS howto has some information, and links to additional resources. The policy should be pretty easy to read, though. You have one rule, "allow bacula_t systemd_systemctl_exec_t:file execute." Each word in that rule, except for "allow"

I updated my backup server to CentOS 6.6 this morning. As usual, I unmounted the current (nightly) tape from the changer before the reboot. Now Bacula complains it cannot access the changer: 3301 Issuing autochanger "loaded? drive 0" command. 3991 Bad autochanger "loaded? drive 0" command: ERR=Child exited with code 1. Results=cannot open SCSI device '/dev/changer' -

I am trying to update some local policies for bacula that allow a series of clients with pre run scripts to su in order to perform some preparatory work for a backup. With selinux enforcing, the su is denied obviously execute as bacula_t tries su_exec_t. You only see this with enforcing enabled? So creating an initial policy for that (this is not the way to do this) allows one more avc to appear

Hey folks, Ok so I'm having another issue with SELinux. However I think I'm pretty close to a solution and just need a nudge in the right directtion. I wrote a puppet module that gets systems into bacula backups. Part of the formula is to distribute key/cert pairs with permissions that allow bacula to read them so that bacula can talk to the host over TLS. It's pretty slick, I must

Hey guys, Quick update. I grepped through the output of getsebool -a to see that related to puppet. And I found this setting: puppetagent_manage_all_files. So I tried running this command: setsebool -P puppetagent_manage_all_files 0 And did a restorecon on my modules directory: restorecon -R -v environments/production/moudles So there's good news and bad news to report! It seems that

Hi all, Thanks for all your suggestions. Here's where I'm at with this. Can you give details about your puppetmasterd setup ? it seems that > you're using Foreman as puppet ENC. > Yes, I'm on foreman 1.7.4 and puppet 3.75. You are correct that I'm using foreman, sorry I hadn't thought to mention it! > Foreman works fine with selinux enabled : that's what

I have no idea of the current dependency problem. I think your original problem was caused by mv'ing files from an nfs share to /etc which maintained the context. And SELinux prevented puppet from accessing nfs_t type. If you had just run restorecon on the object it would have set it back to the correct/default context. You might want to setup an alias mv "mv -Z" This changes

I am seeing these in the log of one of our off-site NX hosts running CentOS-6.6. type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket Was caused by: Missing type enforcement (TE) allow rule. You can use

Hello, I'm using HP homeserver where host system run CentOS 6.3 with KVM virtualization with SELinux enabled, guests too run the same OS (but without SELinux, but this does not matter). Host system installed on mirrors based on sda and sdb physical disks. sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed to use zfs (zfsonlinux) benefit features). Problem is that disks

Hi list, I'm trying to understand SELinux on C7. I encountered problem running bacula when system is enforced. The problem is when bacula try to run BeforeJobScript. In this script there is an occourrence to systemctl stop httpd and hostname command and I got error on permission on this 2 commands. Reading RHEL 7 SELinux Guide seems that I need a domain transaction but I don't know how

Trying to restart postfix installed from yum. Restart fails, I get: type=AVC msg=audit(1430429813.721:12167): avc: denied { unlink } for pid=31624 comm="master" name="defer" dev="dm-0" ino=981632 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=sock_file I guess it needs to remove the

On 30.07.2019 20:07, Tom Diehl via dovecot wrote: > > Does anyone have an Idea how to fix this? > > Regards, > Perhaps see if there are any denials in SELinux audit log: sudo grep denied /var/log/audit/audit.log | grep dovecot | audit2allow -a Good luck, Reio

Fix formatting of Flask AVC audit messages so that existing policy tools can parse them. After applying, ''xm dmesg | audit2allow'' yields the expected result. Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: George S. Coker, II <gscoker@alpha.ncsc.mil> --- xen/xsm/flask/avc.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)

On Mon, January 19, 2015 11:50, James B. Byrne wrote: > I am seeing these in the log of one of our off-site NX hosts running > CentOS-6.6. > > type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for > pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket > Was caused by:

Installed Packages Name : postfix Arch : x86_64 Epoch : 2 Version : 2.6.6 Release : 6.el6_5 Size : 9.7 M Repo : installed >From repo : updates I am seeing several of these in our maillog file after a restart of the Postfix service: Apr 23 12:48:27 inet08 setroubleshoot: SELinux is preventing /usr/libexec/postfix/smtp from 'read, write'

On 04/26/2017 12:29 AM, Robert Moskowitz wrote: > But the policy generates errors. I will have to submit a bug report, > it seems A bug report would probably be helpful. I'm looking back at the message you wrote describing errors in ld-2.17.so. I think what's happening is that the policy on your system includes a silent rule that somehow breaks your system. You'll need

Hi, I've setup a transparent HTTP+HTTPS proxy on my server running CentOS 7, using Squid. Here's my configuration file. --8<---------------------------------------------------------------- # /etc/squid/squid.conf # D?finitions acl localnet src 192.168.2.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port

Hi list, I try to install bacula-client-3.0.1-3.el5.pp.x86_64.rpm but have problems with some Dependencies, please if anyone know how fix that I'll apreciate the info. yum install bacula-client-3.0.1-3.el5.pp.x86_64.rpm Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * epel: www.gtlib.gatech.edu * rpmforge: ftp-stud.fht-esslingen.de * base: centos.pop.com.br *

CentOS Errata and Bugfix Advisory 2012:1469 Upstream details at : https://rhn.redhat.com/errata/RHBA-2012-1469.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 7b52c666fc603f620e273dcbba5a43bad621826f9e2520cca6f064ecd5cef03c bacula-client-5.0.0-12.el6.i686.rpm

CentOS Errata and Bugfix Advisory 2015:0239 Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-0239.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: de15a060812e939050e6d9672e167f81ed6474aba93d283dea0f07a176951407 bacula-client-5.0.0-13.el6.i686.rpm