Displaying 20 results from an estimated 1000 matches similar to: "Type enforcement / mechanism not clear"
2018 Sep 09
3
Type enforcement / mechanism not clear
Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>:
>
> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
>> Any SElinux expert here - briefly:
>>
>> # getenforce
>> Enforcing
>>
>> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
>> <no output>
>>
>> # sesearch -ACR -s httpd_t -c file
2018 Sep 10
1
Type enforcement / mechanism not clear
Am 09.09.2018 um 16:19 schrieb Daniel Walsh <dwalsh at redhat.com>:
>
> On 09/09/2018 09:43 AM, Leon Fauster via CentOS wrote:
>> Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>:
>>> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
>>>> Any SElinux expert here - briefly:
>>>>
>>>> # getenforce
2018 Sep 09
0
Type enforcement / mechanism not clear
On 09/09/2018 09:43 AM, Leon Fauster via CentOS wrote:
> Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>:
>> On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
>>> Any SElinux expert here - briefly:
>>>
>>> # getenforce
>>> Enforcing
>>>
>>> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
2018 Sep 09
0
Type enforcement / mechanism not clear
On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
> Any SElinux expert here - briefly:
>
>
> # getenforce
> Enforcing
>
> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
> <no output>
>
> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t
> <no output>
>
> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf
>
2018 Sep 09
1
Type enforcement / mechanism not clear
On 09/09/2018 07:19 AM, Daniel Walsh wrote:
> sesearch -A -s httpd_t -t system_conf_t -p read
>
> If you feel that these files should not be part of the base_ro_files
> then we should open that for discussion.
I think the question was how users would know that the policy allowed
access, as he was printing rules affecting httpd_t's file read access,
and looking for
2017 Sep 23
2
more selinux problems ...
Hi,
how do I allow lighttpd access to a directory like this:
dr-xrwxr-x. lighttpd example unconfined_u:object_r:samba_share_t:s0 files_articles
I tried to create and install a selinux module, and it didn?t work.
The non-working module can not be removed, either:
semodule -r lighttpd-files_articles.pp
libsemanage.semanage_direct_remove_key: Unable to remove module lighttpd-files_articles.pp at
2012 Feb 16
3
Baffled by selinux
Apache DocumentRoot on an NFS directory:
[root at localhost ~]# service httpd start
Starting httpd: Warning: DocumentRoot [/home/www/html] does not exist
Syntax error on line 292 of /etc/httpd/conf/httpd.conf:
DocumentRoot must be a directory
[FAILED]
[root at localhost ~]#
After some research, I found this (dated) link
2018 Aug 21
5
selinux question
I have a web application which uses sudo to invoke python scripts as the
user under which the application runs (NO root access).? Is there any
reason why sudo would would require sys_ptrace access for this?? I only
get this violation intermittenly, and not with every call to sudo.?
Here's the violation:
Summary:
SELinux is preventing sudo (httpd_t) "sys_ptrace" to <Unknown>
2012 Jan 11
2
SELinux blocking cgi script from "writing to socket (httpd_t)"
Is this really supposed to get easier over time? :) Now my audit.log
file shows that SELinux is blocking my cgi script, index.cgi (which is
what's actually served when the user visits the front page of one of our
proxy sites like sugarsurfer.com) from having '"read write" to socket
(httpd_t)'. I have no idea what that means, except that I thought that
cgi scripts were
2011 Jan 14
1
httpd and selinux
Hello,
Running httpd-2.2.3-43.el5.centos.3 on CentOS release 5.5 (Final), I
have :
$ ps -Ze
LABEL PID TTY TIME CMD
user_u:system_r:httpd_t 12833 ? 00:00:00 httpd
Is it normal for httpd to have this context (user_u:system_r:httpd_t) ?
I was expecting system_u:system_r:httpd_t.
And if it is not normal, is it because I have restarted httpd by
2007 Mar 12
2
selinux disable but still working
I have some centos 4.4 server. i have disable selinux for some software
problem:
# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disable
#
2016 Dec 28
4
Help with httpd userdir recovery
On 12/28/2016 05:11 AM, Todor Petkov wrote:
> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>> Which is why I wonder if there is some different config for the C7.3 version
>> of apache.
>>
>> Or something with the C7-arm build...
> Can you check for SELinux warnings/errors in /var/log/audit/audit.log?
Good advice. As I
2019 Jan 30
2
SELinux policy vs. static web content
Hi,
Some time ago I wrote an introductory article about SELinux on my blog.
I'm currently updating it for my new blog, and I found a curious change
in SELinux policy. Here goes.
For demonstration purposes, I'm using some static webpages, more exactly
the default pages found in /usr/share/httpd/noindex, which I simply
copied over to /var/www/html.
As a first practical example, I'm
2014 Oct 25
1
Centos 6.5 - Fping - SE Linux - Missing type enforcement (TE) allow rule
Hi gents,
I seem to have a small issue with fping and Observium(a monitoring
solution). The particular VPS I'm using does have SELinux enabled and it
seems to be causing issues when the httpd process is attempting to use
Fping?
Here is what I know so far :
Output from "audit2why -a" :
---------------
type=AVC msg=audit(1414265994.125:6744): avc: denied { create } for
2017 Feb 21
2
SELInux conflict with Postfixadmin
On 02/21/2017 11:46 AM, Zdenek Sedlak wrote:
> On 2017-02-21 17:30, Robert Moskowitz wrote:
>> postfixadmin setup.php is claiming:
>>
>> *Error: Smarty template compile directory templates_c is not writable.*
>> *Please make it writable.*
>> *If you are using SELinux or AppArmor, you might need to adjust their
>> setup to allow write access.*
>>
2009 Oct 04
2
deliver stopped working
Hi:
I have been using Dovecot for well over a year now and it has always worked with few
problems. The mail setup is not simple...
Postfix+MailScanner+ClamAV+Docvecot+MySql+postfix.admin... just to mention the major
things. The system is CentOS 5.3 on VMware. The maildir is on an NFS share, index and
control is local.
About a month ago I thought I upgraded from 1.1.x to 1.2.x. by doing an
2017 Sep 04
5
selinux denial of cgi script with httpd using ssl
Thanks for your help.
I did pick up an additional entry in the audit file :
type=AVC msg=audit(1504561395.709:10196): avc: denied { execute } for
pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
ino=537182029 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
Unfortunately, I am not sure how the
2019 May 27
2
[PATCH] Use proper label for nbdkit sockets
While svirt_t can be used for sockets it does not always guarantee that it will
be accessible from a virtual machine. The VM might be running under svirt_tcg_t
context which will need a svirt_tcg_t label on the socket in order to access it.
There is, however, another label, svirt_socket_t, which is accessible from
virt_domain:
# sesearch -A -s svirt_t -c unix_stream_socket -p connectto
...
2017 Sep 22
2
selinux prevents lighttpd from printing
PS: Now I found this:
type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root
2016 Jul 05
4
How to have more than on SELinux context on a directory
????????? ???????? ????? 2016-07-05 19:58:
>> I need to have the tftpdir_rw_t and samba_share_t SELinux context
>> on
>> the same directory.
>>
>> How can we do this? Is it feasible to have more than one SELinux
>> context?
>
> I don't think it's possible/feasible.
> You'd probably need to add a new type and necessary rules to your