similar to: SELinux - null security context

Yesterday I activated SELinux in targeted mode, then I rebooted and started receiving some error messages in the system services initialization: ====================================================================== audit(1156518721.252:2): avc: denied { read } for pid=2223 comm="syslogd" name="libc-2.3.4.so" dev=dm-0 ino=50441 scontext=user_u:system_r:syslogd_t

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1212807

[ I realized that we were discussing adding this feature, in various private email, IRC, and this long bugzilla thread: https://bugzilla.redhat.com/show_bug.cgi?id=1060423 That's not how we should do things. Let's discuss it on the mailing list. ] One thing that virt-customize/virt-sysprep/virt-builder have to do is relabel SELinux guests. What we do at the moment

Do SELinux relabelling properly.

Tried just the selinux list yesterday, no answers, so I'm trying again. I partitioned GPT, and formatted, as xfs, a large (3TB) drive on a CentOS 6 system, which has selinux in permissive mode. I then moved the drive to a CentOS 5 system. When we run a copy (it mirror-copies from another system), we get a ton of errors. I discovered that the CentOS 5 system was enforcing. I changed it to

I could not get vsftpd to start; kept getting the "vsftpd Dead Subsys Locked" error. On doing a Google search, I came across a fix (lost the site unfortunately) and as I recall, it has something to do with copying a file and having the incorrect SElinux settings (I have SElinux disabled). The fix was to do a fixfiles, relabel (commands that I have never used) or a touch of

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1212807 Since v1: - Combine the virt-builder detection code into virt-customize. - Enables us to delete Architecture and Uname modules completely. Rich.

Hello, I received the below SELinux message today and I am trying to figure out what caused it. I see what it says under Allow Access but I am not sure this is what I really want to do without know why it happened in the first place. What should I be looking at to understand what or why this has happened? Any help I would be most grateful for. Here is the output form SELinux SUMMARY:

This implements the --selinux-relabel option for virt-customize, virt-builder and virt-sysprep. There is no need to autorelabel functionality now. Thanks: Stephen Smalley --- builder/Makefile.am | 1 + builder/virt-builder.pod | 20 +++++++++---------- customize/Makefile.am | 2 ++ customize/SELinux_relabel.ml | 46 +++++++++++++++++++++++++++++++++++++++++++

--- customize/customize_run.ml | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/customize/customize_run.ml b/customize/customize_run.ml index 0f1d72a..cd4616c 100644 --- a/customize/customize_run.ml +++ b/customize/customize_run.ml @@ -338,15 +338,19 @@ exec >>%s 2>&1 if ops.flags.selinux_relabel then ( msg (f_"SELinux

We can use the setfiles(8) command to relabel the guest filesystem, even though we don't have a policy loaded nor SELinux enabled in the appliance kernel. This also deprecates or removes the old and broken SELinux support. This patch isn't quite complete - I would like to add some tests to the new API. I'm posting here to garner early feedback. Rich.

v1 -> v2: - Add simple test of the setfiles API. - Use SELinux_relabel module in virt-v2v (instead of touch /.autorelabel). - Small fixes. Rich.

Hi. I've installed BackupPC 3.1.0 from Testing repository, to Cent OS 5.2 x86_64, and I am hitting an SE Linux denial - the httpd cannot talk to the BackupPC socket: type=AVC msg=audit(07/31/2008 17:18:53.623:410) : avc: denied { connectto } for pid=11767 comm=httpd path=/var/log/BackupPC/BackupPC.sock scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:initrc_t:s0

Rewrite the relabel API to read the policy configured in the guest, invoking setfiles (added as part of the appliance, as part of policycoreutils) to relabel the specified root. In case of failure at any point of the process, a touch of .autorelabel in the root is tried as last-attempt measure to do the relabel. Considering that running SELinux tools in the appliance might be affected by the

I have a serious privileges problem that is making it impossible to serve python pages on a CentOS server. I have tried to resolve this problem in my last post, but now it appears that interest has petered out. I'm desperate and hoping someone on this list can help. [Fri Nov 06 11:50:40 2009] [error] [client 66.248.168.98] (2)No such file or directory: exec of

Does anyone know if utilities like semanage or fixfiles will be successful if used during the %post section of a kickstart installation? -- Paul Heinlein <> heinlein at madboa.com <> www.madboa.com

I have just migrated my Kerberos setup to a new machine (running inside Xen) and it is complaining at startup about the file contexts not being correct, even after running /sbin/fixfiles. On the previous machine I'm sure I had set SELinux to permissive and that's why it never complained. Here are the contexts *after* running /sbin/fixfiles -R krb5-server restore # ls -AlZ

Hi. I'm trying to setup squid with SELinux, the problem i encounter is taht i want to add another directory for cache, in this system we have a home partition with huge space, i create a squid dir and add the path with semanage: semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?' i check the files and are in the good context: drwxr-xr-x squid squid

To set selinux to permissive or disabled mode during a kickstart installation, add the sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' /etc/selinux/config command to the %post section of the kickstart file. Making sure to replace "permissive" with the required selinux mode. -- https://bugzilla.redhat.com/show_bug.cgi?id=435300 On 26 May 2015 at 04:40, Rob Kampen <rkampen at

I have some centos 4.4 server. i have disable selinux for some software problem: # cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disable #