similar to: selinux & rsyncd: Allowing global read for backup

Out of faint curiosity, how do we push change requests upstream to RHEL? I'm using puppet to automate systems, including the application of SELinux policy. While setsebool -P is non-damaging to repeat, it is time consuming -- taking about 45 seconds per execution to process the existing policy and re-commit to disk. I'd like a simple ability to put an unless in the execution of

On 04/12/2016 02:31 PM, James Hogarth wrote: > For example: > > unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on > &> /dev/null" D'oh! That's what I get for overcomplicating the whole darn thing. :) > > Incidentally one nice trick if you're dealing with potentially changing > multiple booleans and the policy compile

I keep seeing this in my audit.logs: type=AVC msg=audit(1496336600.230:6): avc: denied { name_connect } for pid=2411 comm="dbus-daemon" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket Was caused by: The boolean allow_ypbind was set incorrectly. Description: Allow system to run with NIS Allow

Dear All, Currently i have using CentOS4.4 and Kernel Version is 2.6.9-42.EL. I have disabled selinux on kickstart installation and command is *selinux --disabled * Can any one help me or guide me to 1. Enable the selinux 2. Selinux Customize my own policy Regards -S.Balaji

On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces at centos.org on behalf of rgm at htt-consult.com> wrote: On 12/28/2016 06:05 PM, J Martin Rushton wrote: > > On 28/12/16 21:24, m.roth at 5-cent.us wrote: >> Robert Moskowitz wrote: >>> >>> On 12/28/2016 03:32 PM, J Martin Rushton wrote: >>>> On 28/12/16 20:11,

On 12 Apr 2016 6:10 p.m., "John Jasen" <jjasen at realityfailure.org> wrote: > > Out of faint curiosity, how do we push change requests upstream to RHEL? > > I'm using puppet to automate systems, including the application of > SELinux policy. While setsebool -P is non-damaging to repeat, it is time > consuming -- taking about 45 seconds per execution to

On Tue, 12 Apr 2016, John Jasen wrote: > On 04/12/2016 02:31 PM, James Hogarth wrote: >> For example: >> >> unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on >> &> /dev/null" > > D'oh! That's what I get for overcomplicating the whole darn thing. :) >> >> Incidentally one nice trick if you're

Hi All, I must not understand the uid/gid line in rsyncd.conf. If someone could briefly point out where I've gone wrong, I'd appreciate it. I've created a special user to backup a server which has some users who don't want all their files backed up, so I'm trying to address their concerns by using the uid= and gid= lines in rsyncd.conf to have the rsyncd run with

On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces at centos.org on behalf of rgm at htt-consult.com> wrote: On 12/28/2016 06:13 PM, Greg Cornell wrote: > On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces at centos.org on behalf of rgm at htt-consult.com> wrote: > > > > On 12/28/2016 06:05 PM, J

Hi, On an internal webserver (latest C6) I want smb-access to /var/www/html/ In april I did chcon -R -t public_content_rw_t /var/www/html/ setsebool -P allow_smbd_anon_write 1 setsebool -P allow_httpd_anon_write 1 echo "/var/www/html/ -- unconfined_u:object_r:public_content_rw_t:s0" >> /etc/selinux/targeted/contexts/files/file_contexts After the latest round

Daniel Walsh wrote: > On 09/22/2017 06:58 AM, hw wrote: >> >> PS: Now I found this: >> >> >> type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp >> type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1

I've running a rsyncd and ssh port forwarding (-R 12345:localhost:873 backup@server) on a client because the client should not reachable but over ssh. The rsyncd should acessible because I can backup and restore files with backuppc (a wonderfull program which use perl::rsync) And I can "ssh -p 12345 backup@localhost" to this client too. If I try to connect (from the machine/user

> > Hi, can we start by seeing your smb.conf from the file server ? ###################################################### # Global Config # ###################################################### [global] kerberos method = system keytab workgroup = NAME security = ads realm = NAME.EXAMPLE.COM # Logging log file = /var/log/samba/%m.log log level = 3 #

I upgraded a development server last week, and it started spewing selinux errors to the log. I googled. What finally *seems* to have stopped it was a) setsebool -P httpd_setrlimit 1 b) yum downgrade selinux-policy\* This is on a 6.3 box. Has anyone else seen this behaviour? mark

PS: Now I found this: type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root

Hello, I was using CentOS 5.5 as a "playground" VM at my WinXP notebook and now I'm migrating to a new CentOS 5.6 install and everything has worked well - except samba. I have this very permissive config to export my ~/src dir: # cat /etc/samba/smb.conf [global] guest ok = yes guest account = afarber security = share hosts allow = 172.16.6. 127.0.0.1 [src]

Hello everyone, I have a problem with oddjob_mkhomedir on a NFS mount point. The actual context is nfs_t drwxr-xr-x. root root system_u:object_r:nfs_t:s0 users/ With this type, oddjob_mkhomedir cannot do is job of creating home user directories. In the logs, I found about creating a new module with audi2allow and semodule: [root@ audit]# sealert -l fe2d7f60-d3ff-405b-b518-38d0cf021598

for more information : https://www.mankier.com/8/haproxy_selinux On Sun, Mar 13, 2016 at 2:05 AM, Alexander Dalloz <ad+lists at uni-x.org> wrote: > Am 12.03.2016 um 23:18 schrieb Tim Dunphy: > >> Hi all, >> >> I'm load balancing 4 mysql databases using HAProxy. The setup seems to be >> working pretty well. Except I keep seeing these messages turning up in

Hi all, On my newly up-and-running nameserver (CentOS 5), I noticed the following alerts in /var/log/messages after restarting BIND. (lines inserted to aid in reading). As I'm new to SELinux, I'm hoping for some pointers on 1) if this is an issue which simply *must* be addressed, or if it's something I should live with, and 2) how to eliminate the warming messages without sacrificing

I seem to have quieted some, but I'm still getting noise from selinux. Here's one that really puzzles me: my users have a ruby app with passenger running. However, one of the sealerts gives me: sealert -l 5a02b0a1-8512-4f71-b1c8-70a40b090a9d SELinux is preventing /bin/chmod from using the fowner capability. ***** Plugin catchall_boolean (89.3 confidence) suggests *******************