Search Results

Search found 182 results on 8 pages for 'selinux'.

Page 1/8 | 1 2 3 4 5 6 7 8  | Next Page >

  • How to set selinux?

    - by Enrique Videni
    I installed selinux first, I set SELINUX=enforcing instead of its original value, SELINUX=permissive in /etc/selinux/config, then I reboot my computer. I waited for some time, but it stopped, I rebooted again and it can not go into the system anymore so I restored the setting. I tried to run seinfo command in a terminal, but it output some errors below: ERROR: policydb version 26 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/ubuntu/policy/policy.26. ERROR: Input/output error It seems that there is a little difference on how to start up selinux between CentOS and Ubuntu, can you help me configure selinux in Ubuntu?

    Read the article

  • AD GIT SELinux RHEL 6 : Can not get SELinux to allow connetion to git

    - by Johan Sörell
    I have a problem with SELinux! I have installed git on Red Hat Enterprise 6 with AD group control and SSL Cert . Everything works fine if I do setenforce 0 ( set SELinux in detection only mode ) or if I do semanage permissive -a httpd_t (Set httpd_t in detection only mode) I do not want to use this on my git production server. Is there anyone out there who can help we with SELinux? Below is some info that you might need to be able to help me: All help I can get would be apriciated: This is the output of ls -lZa /preproduction/git/repositories/ ls -lZa /preproduction/git/repositories/ drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 . drwxr-xr-x. apache apache unconfined_u:object_r:file_t:s0 .. drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 playground drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 shamrock.git drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 test Here is the out put of getsebool -a |grep -i httpd getsebool -a |grep -i httpd allow_httpd_anon_write --> off allow_httpd_mod_auth_ntlm_winbind --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> on httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_read_user_content --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_gpg --> off httpd_use_nfs --> off Tis is the status of : sestatus sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted

    Read the article

  • selinux permissive and type targeted

    - by krisdigitx
    i am running centos 6.2 recently i noticed that apache was running with selinux enabled # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=Permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted i noticed that these errors were coming on dmesg type=1400 audit(1354453732.704:9056368): avc: denied { name_connect } for pid=39006 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket type=1400 audit(1354453735.777:9056369): avc: denied { name_connect } for pid=39046 comm="httpd" dest=6379 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket i then enabled /usr/sbin/setsebool httpd_can_network_connect=1 and this stopped the errors and also the webpages started to work. My question is if selinux is in permissive mode will selinuxtype=targeted enforce any polices? if not how did it solve the problem with apache as selinux was already in permissive mode?

    Read the article

  • How do I enable SELinux when booting a ramdisk from a CD/DVD?

    - by JeffG
    I have a bootable DVD which boots the same Kernel as the Hard Drive (which uses SELinux). I have copied /etc/selinux and all kernel modules to my ramdisk, and have tried various combinations of selinux=1 and selinux 1 with enforcing 1 and enforcing 0. as Kernel boot parameters. All files contained in the checkpolicy, libselinux, policycoreutils, selinux-policy and selinux-policy-targeted rpms have also been copied into the ramdisk tree. After the system boots from the ramdisk, I check dmesg: % dmesg | grep -i selinux Kernel command line: initrd=idrd.img ramdisk_size=110476 selinux=1 SELinux: Initializing. SELinux: Starting in permissive mode selinux_register_security: Registering secondary module capability SElinux: Registering netfilter hooks But SELinux isn't running: % /usr/sbin/getenforce Disabled % /usr/sbin/setenforce 1 /usr/sbin/setenforce: SELinux is disabled Neither /var/log/messages nor /proc/kmsg hold clues.

    Read the article

  • MySQL tmpdir on /dev/shm with SELinux

    - by smorfnip
    On RHEL5, I have a small MySQL database that has to write temp files. To speed up this process, I would like to move the temporary directory to /dev/shm by putting the following line into my.cnf: tmpdir=/dev/shm/mysqltmp I can create /dev/shm/mysqltmp just fine and do chown mysql:mysql /dev/shm/mysqltmp chcon --reference /tmp/ /dev/shm/mysqltmp I've tried to make SELinux happy by applying the same settings that are in effect for /tmp/ (and /var/tmp/), which is presumably where MySQL is writing its tmp files if tmpdir is undefined. The problem is that SELinux complains about MySQL having access to that directory. I get the following in /var/log/messages: SELinux is preventing mysqld (mysqld_t) "getattr" to /dev/shm (tmpfs_t). SELinux is a hard mistress. Details: Source Context root:system_r:mysqld_t Target Context system_u:object_r:tmpfs_t Target Objects /dev/shm [ dir ] Source mysqld Source Path /usr/libexec/mysqld Port <Unknown> Host db.example.com Source RPM Packages mysql-server-5.0.77-3.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-255.el5_4.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name db.example.com Platform Linux db.example.com 2.6.18-164.2.1.el5 #1 SMP Mon Sep 21 04:37:42 EDT 2009 x86_64 x86_64 Alert Count 46 First Seen Wed Nov 4 14:23:48 2009 Last Seen Thu Nov 5 09:46:00 2009 Local ID e746d880-18f6-43c1-b522-a8c0508a1775 ls -lZ /dev/shm shows drwxrwxr-x mysql mysql system_u:object_r:tmp_t mysqltmp and permissions for /dev/shm itself are drwxrwxrwt root root system_u:object_r:tmpfs_t shm I've also tried chcon -R -t mysqld_t /dev/shm/mysqltmp and setting the group on /dev/shm to mysql with no better results. Shouldn't it be enough to tell SELinux, hey, this is a temp directory just like MySQL was using before? Short of turning off SELinux, how do I make this work? Do I need to edit SELinux policy files?

    Read the article

  • Should I install SELinux to make my Ubuntu Web server more secure?

    - by Desmond Hume
    This wiki page on using SELinux with Ubuntu informs of the following: The Ubuntu-specific "selinux" and "selinux-policy-ubuntu" packages documented here have not received much attention since Karmic, and appear to be effectively broken in Precise. So does it make sense to even consider installing SELinux with the purpose of making a general-purpose Web server running on Ubuntu 12.04 more secure? What are the potential problems that SELinux can bring into an Ubuntu Web server?

    Read the article

  • How to secure JBoss application server using SELinux

    - by Jakub Elias
    I want to secure RedHat 5.4 application server by SELinux (targeted policy) and have several questions 1, where can i get SELinux sources (/etc/selinux//src/policy/)There seems to be no such package on install cd .. 2, how to restrict user rights (for example user jboss could not modify /etc/my.cnf) 3, how to configure JBoss application server to work under SELinux Although i read many documents from NSA the whole topic is still not clear for me.What i want is to basically protect filesystem in case one account is broken.I cannot find any materials about securing jboss server using either chroot jail, ACLs or SELinux ....

    Read the article

  • how do I allow mysql connections through selinux

    - by xivix
    I'd like to for once leave selinux running on a server for the alleged increased security. I usually disable selinux to get anything to work. How do I tell selinux to allow mysql connections? The most documentation I've found is this line from mysql.com: If you are running under Linux and Security-Enhanced Linux (SELinux) is enabled, make sure you have disabled SELinux protection for the mysqld process. wow ... that's really helpful.

    Read the article

  • how do I allow mysql connections through selinux

    - by xivix
    I'd like to for once leave selinux running on a server for the alleged increased security. I usually disable selinux to get anything to work. How do I tell selinux to allow mysql connections? The most documentation I've found is this line from mysql.com: If you are running under Linux and Security-Enhanced Linux (SELinux) is enabled, make sure you have disabled SELinux protection for the mysqld process. wow ... that's really helpful.

    Read the article

  • How do I enable SELinux when booting from a CD/DVD?

    - by JeffG
    I have a bootable DVD which boots the same Kernel as the Hard Drive (which uses SELinux). I have copied /etc/selinux and all the kernel modules to my ramdisk, and have tried both selinux=1 and selinux 1 as Kernel boot parameters. After the system boots, I check dmesg: % dmesg | grep -i selinux Kernel command line: initrd=idrd.img ramdisk_size=110476 selinux=1 SELinux: Initializing. SELinux: Starting in permissive mode selinux_register_security: Registering secondary module capability SElinux: Registering netfilter hooks But SELinux isn't running: % /usr/sbin/getenforce Disabled % /usr/sbin/setenforce 1 /usr/sbin/setenforce: SELinux is disabled /var/log/messages does not hold any clues. /proc/kmsg also has nothing

    Read the article

  • redhat Apache fast-cgi selinux permissions

    - by Alejo JM
    My apache installation is running php as fastcgi, and the virtual hosts are pointing to /home/*/public_html. and the fastcgi are home/*/cgi-bin/php.fcgi the public_html setup with selinux was: /usr/sbin/setsebool -P httpd_enable_homedirs 1 chcon -R -t httpd_sys_content_t /home/someuser/public_html The owner and group are the user, for example the user "someuser": ls -all /home/someuser/cgi-bin/ drwxr-xr-x 2 someuser someuser 4096 Sep 7 13:14 . drwx--x--x 6 someuser someuser 4096 Sep 6 18:17 .. -rwxr-xr-x 1 someuser someuser 308 Sep 7 13:14 php.fcgi ls -all /home/someuser/public_html/ | greep info.php -rw-r--r-- 1 someuser someuser 24 Sep 3 16:24 info.php When is visits the site I get "Forbidden ..." and the log said: [Fri Sep 07 12:02:51 2012] [error] [client x.x.x.x] (13)Permission denied: access to /cgi-bin/php.fcgi/info.php denied My selinux conf is: SELINUX=enforcing SELINUXTYPE=targeted SETLOCALDEFS=0 So I kill Selinux (SELINUX=disabled), reboot the system and everything works !!!!! The problem is Selinux, I don't want disable Selinux. I trying this with no success: setsebool -P httpd_enable_cgi 1 chcon -t httpd_sys_script_exec_t /home/someuser/cgi-bin/php.fcgi chcon -R -t httpd_sys_content_t /home/someuser/cgi-bin Or maybe is better change Selinux SELINUX=enforcing to SELINUX=permissive And disable selinux for httpd ? (I think I better find the correct configuration) Thanks for any suggestion on this matter My environment: Red Hat Enterprise Linux Server release 5.8 (Tikanga) Server version: Apache/2.2.3 PHP 5.1.6 (cli) (built: Jun 22 2012 06:20:25) Copyright (c) 1997-2006 The PHP Group Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies Some logs: ps -ZC httpd LABEL PID TTY TIME CMD system_u:system_r:httpd_t 2822 ? 00:00:00 httpd system_u:system_r:httpd_t 2823 ? 00:00:00 httpd system_u:system_r:httpd_t 2824 ? 00:00:00 httpd system_u:system_r:httpd_t 2825 ? 00:00:00 httpd system_u:system_r:httpd_t 2826 ? 00:00:00 httpd system_u:system_r:httpd_t 2836 ? 00:00:00 httpd system_u:system_r:httpd_t 2837 ? 00:00:00 httpd system_u:system_r:httpd_t 2838 ? 00:00:00 httpd system_u:system_r:httpd_t 2839 ? 00:00:00 httpd system_u:system_r:httpd_t 2840 ? 00:00:00 httpd getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_bugzilla_script_anon_write --> off allow_httpd_cvs_script_anon_write --> off allow_httpd_mod_auth_pam --> off allow_httpd_nagios_script_anon_write --> off allow_httpd_prewikka_script_anon_write --> off allow_httpd_squid_script_anon_write --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_network_connect --> off httpd_can_network_connect_db --> off httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_execmem --> off httpd_read_user_content --> off httpd_rotatelogs_disable_trans --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_suexec_disable_trans --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_nfs --> off

    Read the article

  • How to construct SELinux rules for a Glassfish server

    - by tronda
    I'm running Glassfish 3.1 on a CentOS 6 solution and by default SELinux is enabled. I have installed Sun's JDK version 1.6.0_29 on the server and extracted the Glassfish 3.1.1 to /opt/glassfish-3.1.1 with a link /opt/glassfish pointing to the latest Glassfish version. I've also created a system user named glassfish with a home directory /home/glassfish. When running with SELinux enabled I get all sorts of errors. For instance I'm not able to create the domain. I kind of like the concept of SELinux, and would like to be able to have SELinux enabled. I have the following requirements for the Glassfish server: Listening to port 8080 and 8081 Other ports 7676: JMS 8686: JMX monitoring, 4848: Admin console Forwarding from apache to Glassfish through mod_jk and port 8009 Starting OpenMQ as an separate process which listens to 7676 and it's JMX monitoring port 7776 Able to read and write files at a specified area (different from home directory) Able to use /tmp/ for temporary files I am aware of the audit2allow tool when running in permissive mode, but I struggle with understanding the rules that is generated from this tool, and thought that setting up these rule manually the first time would help me understand the SELinux rules better than the simplistic examples that I've seen so far. Can someone with SELinux experience help me form these SELinux rules with comments describing each part of the rules?

    Read the article

  • SeLinux blocking connection to sshd on Ubuntu 9.10

    - by Barton Chittenden
    When I try to log on to my laptop, which runs Ubuntu 9.10, the server rejects my login attempts. Checking /var/log/auth.log, I see the following: Feb 14 12:41:16 tiger-laptop sshd[6798]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for tiger I googled for this, and ran across the following: http://www.spinics.net/lists/fedora-.../msg13049.html Here's the part that I think relates to the problem that I'm having: Quote: What's wrong on my system? Why it's not possible to login even if selinux is in permissive mode? Any suggestions? I'd start by trying to figure out why sshd isn't running in sshd_t (it seems to be running in sysadm_t). Paul. selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mail...stinfo/selinux Yes, sshd is running in sysadm_t: ps axZ | grep sshd system_u:system_r:sysadm_t 3632 ? Ss 0:00 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pi ls -Z /usr/sbin/sshd system_ubject_r:sshd_exec_t /usr/sbin/sshd Don't know why it's not sshd_t. I didn't modified something. It's a standard installation of sles11 with the default reference policy from tresys. Maybe this code snippet from policy/modules/services/ssh.te is responsible for that: Allow ssh logins as sysadm_r:sysadm_t gen_tunable(ssh_sysadm_login, true) Any ideas? Do you have boolean init_upstart set to on? if not try setting it to on. I do not believe ssh_sysadm_login boolean works currently but i may be mistaken. -- Yeah, setting init_upstart to on did the trick! THANK A LOT! Do you know why this prevents the user from logging in through ssh even if selinux is set to permissive?? Ok, so the million dollar question is "where do I set 'init_upstart=1'"? It's not clear from context which configuration file needs to be edited, and I'm not at all familiar with SELinux configuration.

    Read the article

  • SeLinux blocking connection to sshd on Ubuntu 9.10

    - by Barton Chittenden
    When I try to log on to my laptop, which runs Ubuntu 9.10, the server rejects my login attempts. Checking /var/log/auth.log, I see the following: Feb 14 12:41:16 tiger-laptop sshd[6798]: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context for tiger I googled for this, and ran across the following: http://www.spinics.net/lists/fedora-.../msg13049.html Here's the part that I think relates to the problem that I'm having: Quote: What's wrong on my system? Why it's not possible to login even if selinux is in permissive mode? Any suggestions? I'd start by trying to figure out why sshd isn't running in sshd_t (it seems to be running in sysadm_t). Paul. selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mail...stinfo/selinux Yes, sshd is running in sysadm_t: ps axZ | grep sshd system_u:system_r:sysadm_t 3632 ? Ss 0:00 /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pi ls -Z /usr/sbin/sshd system_ubject_r:sshd_exec_t /usr/sbin/sshd Don't know why it's not sshd_t. I didn't modified something. It's a standard installation of sles11 with the default reference policy from tresys. Maybe this code snippet from policy/modules/services/ssh.te is responsible for that: Allow ssh logins as sysadm_r:sysadm_t gen_tunable(ssh_sysadm_login, true) Any ideas? Do you have boolean init_upstart set to on? if not try setting it to on. I do not believe ssh_sysadm_login boolean works currently but i may be mistaken. -- Yeah, setting init_upstart to on did the trick! THANK A LOT! Do you know why this prevents the user from logging in through ssh even if selinux is set to permissive?? Ok, so the million dollar question is "where do I set 'init_upstart=1'"? It's not clear from context which configuration file needs to be edited, and I'm not at all familiar with SELinux configuration.

    Read the article

  • Selinux interfering with vboxwebsrv or phpvirtualbox

    - by Mike W
    I have a brand new installation of Fedora 18, with a brand new installation of Virtualbox 4.2. I have spent a painful few hours trying to get phpVirtualBox working. Apache 2.4 and PHP 5.4 are installed, along with the phpVirtualBox software. Attempting to access phpVirtualBox allowed me to login, but then I'd have a prolonged wait until an 'Error fetching HTTP headers' message appeared. Finally, I set SeLinux to permissive, and Bingo! things start to work. For some reason the SeLinux Troubleshooter isn't flagging any messages from SeLinux, I don't know what to look for now. This is a development box so I could leave SeLinux set to permissive but I will need to make this work in anger on the next project. My question, then, is this: What changes to SeLinux policies do I need to make to allow phpVirtualBox and vboxwebsrv to work together? If there's more information I can post that will assist I'll gladly post it - just let me know what it is.

    Read the article

  • /usr/bin/install hangs, apparently due to SELinux

    - by Cooper
    I'm trying to use the GNU coreutils install utility, however it is hanging: /usr/bin/install -v test_file test_dir/ `test_file' -> `test_dir/test_file I see the same behavior whether I run as a normal user, or root/sudo. I ran an strace -f, and this is the end of the output: ... read(4, "<username>\t-d\tsystem_u:object_r:ho"..., 4096) = 2197 <0.000012> brk(0x6e3b1000) = 0x6e3b1000 <0.000009> mmap(NULL, 29138944, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2abd831ae000 <0.000014> munmap(0x2abd815dd000, 29138944) = 0 <0.003466> The read() is reading from /etc/selinux/targeted/contexts/files/file_contexts.homedirs, apparently successfully. It appears that the process is hanging right after the munmap, but continues to eat 100% CPU. My two questions are: 1) Any good way to see what is going on with the process? I'm currently too lazy to compile a debug version of install I can run gdb on - but a strong suggestion in an answer here may motivate me to do so if needed. 2) Any idea what the SELinux issue could be? I'm not too familiar with SELinux. Additional info of possible relevance: # ls -Z drwxr-xr-x my_user 7001 user_u:object_r:user_home_t test_dir -rw-r--r-- my_user 7001 user_u:object_r:user_home_t test_file # id ... context=user_u:system_r:unconfined_t # uname -a Linux hostname 2.6.18-238.1.1.el5 #1 SMP Tue Jan 4 13:32:19 EST 2011 x86_64 x86_64 x86_64 GNU/Linux I am suspicious that SELinux + Quest Authentication Services (QAS) is causing the issue. QAS is generally well behaved, but it did cause the /etc/selinux/targeted/contexts/files/file_contexts.homedirs to get quite large (~18k users, @23 lines per user) Update: install -v -Z user_u:object_r:user_home_t file dir/ seems to work. Can anyone suggest why, given that SELinux is in permissive mode (see comments).

    Read the article

  • Does SELinux make Redhat more secure?

    - by vfclists
    Does SELinux make Redhat more secure? I can't remember the number of times when I have disabled SELinux because it kept frustrating my ability to get stuff running. Lots of times to there was no obvious reason why stuff wasn't working and I had to Google to discover why. Given that most casual users will disable or weaken security when it appears to get in the way, with the exclusion of serious, enterprisey Redhat users, is SELinux really useful? PS. Is there some tool that helps you log, track and manage SELinux issues across all applications? In spite of being an Ubuntu user I am a closet Fedora fan.

    Read the article

  • What's the correct SELinux type for a directory?

    - by unthar
    If I create a new filesystem/directory off of / and I set the Linux permissions to 770 I expect the group to be able to read and write files in that directory. SELinux was preventing me from doing this until I changed the SELinux type on that directory to public_content_rw_t. If this is just a directory in which users in that group will share files is this an acceptable SELinux type or should I be using another one? Writing a custom policy seems like overkill for these purposes. Thanks

    Read the article

  • SELinux - Allow multiple services access to same /home/dir

    - by Mike Purcell
    I currently have SELinux enabled and have been able to configure apache to allow access to /home/src/web with a chcon command granting the 'httpd_sys_content_t' type. But now I am trying to serve the rsyslogd.conf file from the same directory, but every time I start rsyslogd I see an entry in my audit log saying that rsyslogd was denied access. My question is, is it possible to grant two applications the ability to access the same directory, while still keeping SELinux enabled? Current perms on /home/src: drwxr-xr-x. src src unconfined_u:object_r:httpd_sys_content_t:s0 src Audit log message: type=AVC msg=audit(1349113476.272:1154): avc: denied { search } for pid=9975 comm="rsyslogd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1349113476.272:1154): arch=c000003e syscall=2 success=no exit=-13 a0=7f9ef0c027f5 a1=0 a2=1b6 a3=0 items=0 ppid=9974 pid=9975 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=30 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) -- Edit -- Came across this post, which is sort of what I am trying to accomplish. However when I viewed the list of allowed sebool params, the only relating to syslog was: syslogd_disable_trans (SELinux Service Protection), seems like I can maintain the current SELinux 'type' on the /home/src/ dir, but set the bool on syslogd_disable_trans to false. I wonder if there is a better approach?

    Read the article

  • google sitemap generator installation selinux

    - by adnan
    when i trying to install google sitemap generator i received this error Change security context of to system_u:object_r:httpd_modules_t install: WARNING: ignoring --context (-Z); this kernel is not SELinux-enabled Program files successfully copied. ./install.sh: line 488: 14284 Segmentation fault "$DEST_DIR/$BIN_DIR/$DAEMON_BIN" update_setting $update_setting_flags "apache_conf=$APACHE_CONF" "apache_group=$APACHE_GROUP" > /dev/null after choosing the submiting file settings i tried to unistall it & excute this getenforce try again but the same problem when i enter this dir /etc/sysconfig/selinux. it is not contain the selinux file my os centos 6 X86_64

    Read the article

  • Can you give one directory two SELinux Policies?

    - by Mike
    Out of laziness I want to be able FTP into my WWW directory. However, the SELinux permissions for apache(user_u:object_r:httpd_sys_content_t) to be able to use the WWW directory and for the user(system_u:object_r:user_home_dir_t ) to use the WWW directory are different. Anyway, around this problem without disabling SELinux? Thanks.

    Read the article

  • SELinux blocking Samba directory listing

    - by Sean M
    I am running Samba on a CentOS server, and I am experiencing a problem where it allows me to connect to the server and see a share, but shows the share as an empty directory. I find this behavior strange. Here is the stanza in my smb.conf for the given share: [seanm] path = /home/seanm writeable = yes valid users = seanm, root read only = No Here's what I see on the server side: [seanm@server ~]$ ls -l -rw-r--r-- 1 seanm seanm 40 Jan 4 13:45 pangram.txt And yet: [seanm@client ~]$ smbclient //server/seanm -U seanm -W WORKGROUP Enter seanm's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.33-3.29.el5_5.1] smb: \> ls . D 0 Fri Jan 7 10:08:55 2011 .. D 0 Fri Jan 7 07:58:31 2011 58994 blocks of size 262144. 50356 blocks available This behavior is present on both a Windows client and a Linux client system. The behavior is present with the firewall on and with the firewall off, so it's not that. Neither /var/log/messages nor /var/log/secure have any complaints about Samba. I doubt that SELinux is a problem: just in case, here are the relevant settings. [root@server ~]# getsebool -a | grep samba samba_domain_controller --> off samba_enable_home_dirs --> on samba_export_all_ro --> off samba_export_all_rw --> off samba_share_fusefs --> off samba_share_nfs --> off use_samba_home_dirs --> on virt_use_samba --> off What am I doing wrong here, and what can I do to fix it? Edit: SELinux probably is the problem, judging by the fact that the issue goes away when I set SELinux to "permissive" or issue setsebool -P samba_export_all_rw on - both of which are unacceptable for production environments. What the heck kind of context does a directory need to have on it for Samba users to actually get files from it? I consider rolling your own rules and/or context to be deeply sub-optimal.

    Read the article

  • Is it a bad idea to run SELinux and AppArmor at the same time?

    - by jgbelacqua
    My corporate policy says that Linux boxes must be secured with SELinux (so that a security auditor can check the 'yes, we're extremely secure!' checkbox for each server). I had hoped to take advantage of Ubuntu's awesome default AppArmor security. Is it unwise to run both Apparmor and SELinux? (If so, can this bad idea be mitigated with some apparmor and/or selinux tweaks?) Update 1/28 -- Kees Cook has pointed out in his answer the dead simple reason why it's a bad idea to run both -- the Linux kernel says you can't1. [ 1 More precisely, the Linux Security Modules interface framework is designed for a single running implementation, and does not support more than a single running implementation. ] Update 1/27 -- I've accepted the answer from kenny.r , though I would be happier with some more technical reasons of why this would fail, or examples of actual conflicts that this would cause.

    Read the article

  • Question regarding the SELinux type enforcement file

    - by Luke Bibby
    In my SElinux te file, I define two new types called voice_t and data_t which certain directories will be classified in the fc file (/data/ will be of type data_t and /voice/ will be of type voice_t). I would like the one SELinux policy to be used for all servers in my network, but, some servers will log VoIP data and other servers will be used to log IP data. I only want the voice_t type to be defined on some servers and data_t to be defined on the others - is this possible? I have tried using an if statement with a boolean expression, and then defining the type when the condition is true but this does not seem to work (it tells me there is a syntax error at 'type data_t'' or 'type voice_t;'). Example: if (data_logger) { type data_t; } else { type voice_t; } Any help would be greatly appreciated. Cheers, Luke

    Read the article

1 2 3 4 5 6 7 8  | Next Page >