Re: [CentOS] No kernel-modules for 5.14.0-210 - Centos Stream 9 Vagrant Box
Nevermind, it just seemed to have healed itself :-/ Am Mi., 14. Dez. 2022 um 12:40 Uhr schrieb Daniel Hiller < daniel.hiller.1...@gmail.com>: > Hi everyone, > > we are using > > > https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-Vagrant-9-20221129.1.vagrant-libvirt.box > > together with > > > http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/images/pxeboot/initrd.img > > http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/images/pxeboot/vmlinuz > > to create a vm inside a container. (Why we are doing this would be a > longer story BTW) > > During the process of configuring the VM we are installing kernel-modules > > dnf install -y "kernel-modules-$(uname -r)" > > This has worked until around yesterday afternoon. > > Now it's failing with > > No match for argument: kernel-modules-5.14.0-210.el9.x86_64 > Error: Unable to find a match: kernel-modules-5.14.0-210.el9.x86_64 > > What we noticed was that this occurred after the kernel had changed from > 5.14.0-205. I suspect that this might be related to vmlinuz and/or > initrd.img updates, since I've seen those having changed on 9th / 12th of > Dec 2022. > > Does someone have an idea on how we can fix this in the short run? Or do > we need to wait for "someone" to fix it, and who would that be? > > Thanks in advance, > Daniel Hiller > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] No kernel-modules for 5.14.0-210 - Centos Stream 9 Vagrant Box
Hi everyone, we are using https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-Vagrant-9-20221129.1.vagrant-libvirt.box together with http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/images/pxeboot/initrd.img http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/images/pxeboot/vmlinuz to create a vm inside a container. (Why we are doing this would be a longer story BTW) During the process of configuring the VM we are installing kernel-modules dnf install -y "kernel-modules-$(uname -r)" This has worked until around yesterday afternoon. Now it's failing with No match for argument: kernel-modules-5.14.0-210.el9.x86_64 Error: Unable to find a match: kernel-modules-5.14.0-210.el9.x86_64 What we noticed was that this occurred after the kernel had changed from 5.14.0-205. I suspect that this might be related to vmlinuz and/or initrd.img updates, since I've seen those having changed on 9th / 12th of Dec 2022. Does someone have an idea on how we can fix this in the short run? Or do we need to wait for "someone" to fix it, and who would that be? Thanks in advance, Daniel Hiller ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] unsubscribe
Could you please unsubscribe this email address. I was not aware of the volume of messages this would create and I would like to resubscire using a different email address. Thank you, Daniel Worden ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Docker container isolation not working in CentOS 7
On 8/10/20 11:33, Nicolas Kovacs wrote: > Le 10/08/2020 à 17:03, Roberto Ragusa a écrit : >> Where is your docker coming from? > From the CentOS repository on Docker.com: > > $ head -n 7 /etc/yum.repos.d/docker-ce.repo > [docker-ce-stable] > name=Docker CE Stable - $basearch > baseurl=https://download.docker.com/linux/centos/7/$basearch/stable > enabled=1 > gpgcheck=1 > gpgkey=https://download.docker.com/linux/centos/gpg > > Nearly all the online tutorials and Docker documentation strongly suggest to > install Docker CE from this source. > > You might want to take a look at Podman while you are at it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Running CentOS 6 in a Docker container on a non-CentOS host
On 3/10/20 04:31, Peter Kjellström wrote: > On Mon, 9 Mar 2020 16:16:01 -0400 > Alfred von Campe wrote: > >>> On Mar 5, 2020, at 6:05, Peter Kjellström wrote: >>> >>> You can use singularity. The following example makes an image by >>> pulling from centos on dockerhub: >> Interesting! However, I would prefer to use more “native” Docker >> commands, as I would rather not have all developers install and >> configure Singularity when they already have Docker installed on >> their systems. > Docker could pull from the same dockerhub url as singularity. I just > used singularity in my example because thats what I use and know. Its > main advantage is the no-root-required part.. > > /Peter > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos You could always use podman and get the best of both worlds. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Good wifi NIC?
Hi Jeff, May I ask whether you have used this very same NIC successfully with CentOS 7? Cheers, Daniel De : CentOS [centos-boun...@centos.org] de la part de Jeffrey Layton [layto...@gmail.com] Envoyé : mercredi 22 janvier 2020 15:13 À : centos@centos.org Objet : [CentOS] Good wifi NIC? Good morning, I'm looking for a good USB Wifi NIC that will work with the kernel modules for a stock CentOS 8.1. I have an ALFA AWUS036ACH NIC but it looks like the drivers need to compiler for the kernel and I'm having trouble with that. So I'd like something that works, but not necessarily high performing, so I can build the drivers for the ALFA NIC. Thanks! Jeff ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] using RedHat binary packages?
some light reading https://www.redhat.com/licenses/Appendix_1_Global_English_20190625.pdf Dan Pacek > On Jul 3, 2019, at 11:11 AM, Mark Rousell wrote: > > On 03/07/2019 15:58, Valeri Galtsev wrote: >> RHEL binary packages are only available to paid customers who are explicitly >> prohibited to redistribute them. > > For the sake of completeness, not everyone with legitimate access to > RHEL binaries is necessarily a *paid* customer. Red Hat provides a free > dev licence so anyone can legitimately access RHEL binaries (and source > RPMs of course) for free, although the use to which one may put the > binaries is limited by the licence. > > > -- > Mark Rousell > > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Own CentOS MirrorList
Hi Guys Apologies in advance for the noise. I am interested in setting up my OWN mirrorlist like http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock where it pulls a few local mirrors, but mine would be statically set with 3 or 4 different location URL's Basically my plan here is, if the closest mirror I operate cannot be reached, it will try another mirror from a different geographic location I was wondering if anybody on-list might be able to provide some insight on how I can accomplish this? And use ?release= and &arch= and &repo= ? Any assistance would be greatly appreciated. Cheers D ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Docker on Centos 7
On 1/4/19 9:50 PM, H wrote: > On 01/04/2019 09:16 PM, H wrote: >> On 01/04/2019 08:27 AM, Daniel Walsh wrote: >>> On 1/4/19 8:22 AM, Daniel Walsh wrote: >>>> On 1/3/19 10:19 PM, H wrote: >>>>> I recently updated docker to version 18.09 and I seem to have lost the >>>>> container id in the command prompt when I exec into a running container, >>>>> a very useful feature in the previous version I was running. I have not >>>>> found any information in the Docker General Forum. >>>>> >>>>> Has anyone else seen this? >>>>> >>>>> ___ >>>>> CentOS mailing list >>>>> CentOS@centos.org >>>>> https://lists.centos.org/mailman/listinfo/centos >>>> Most likely you had hostname set in the bash prompt. By default >>>> containers run with the hostname=containerid. >>>> >>>> >>>> # podman run -v /usr/bin/hostname:/usr/bin/hostname -ti fedora hostname >>>> 3ac978bc84be >>>> >>>> >>>> |PS1="\h$ " Should give you what you want # podman run -ti fedora sh >>>> sh-4.4# PS1="\h# " 9007d2f699fb# exit # But I think this would need to >>>> be added to the .bashrc or .bash_profile inside of the container image >>>> you are running. | >>> Also if you execute sh -l instead of sh, it will do what you want. >>> >>> >>> podman run -ti fedora sh -l >>> [root@81674750cd2a /]# >>> [root@81674750cd2a /]# exit >>> >>> >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> But when/why did this change? Is there a change in docker that resulted in >> this? Or was it the latest update to CentOS 7? >> >> I have not made any changes otherwise. >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos > I should have added that I do not use podman to run my docker containers. > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos I don't think this is a change in either podman or docker. Their might have been a change in the container image that you were running and seeing this behavior. Perhaps the centos image was setup to do this automatically. BTW Podman and Docker run the same containers, IE Any container image stored at any container registry, (Docker.io, Quay.io, registry.centos.org ...) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Docker on Centos 7
On 1/4/19 8:22 AM, Daniel Walsh wrote: > On 1/3/19 10:19 PM, H wrote: >> I recently updated docker to version 18.09 and I seem to have lost the >> container id in the command prompt when I exec into a running container, a >> very useful feature in the previous version I was running. I have not found >> any information in the Docker General Forum. >> >> Has anyone else seen this? >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos > > Most likely you had hostname set in the bash prompt. By default > containers run with the hostname=containerid. > > > # podman run -v /usr/bin/hostname:/usr/bin/hostname -ti fedora hostname > 3ac978bc84be > > > |PS1="\h$ " Should give you what you want # podman run -ti fedora sh > sh-4.4# PS1="\h# " 9007d2f699fb# exit # But I think this would need to > be added to the .bashrc or .bash_profile inside of the container image > you are running. | Also if you execute sh -l instead of sh, it will do what you want. podman run -ti fedora sh -l [root@81674750cd2a /]# [root@81674750cd2a /]# exit ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Docker on Centos 7
On 1/3/19 10:19 PM, H wrote: > I recently updated docker to version 18.09 and I seem to have lost the > container id in the command prompt when I exec into a running container, a > very useful feature in the previous version I was running. I have not found > any information in the Docker General Forum. > > Has anyone else seen this? > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos Most likely you had hostname set in the bash prompt. By default containers run with the hostname=containerid. # podman run -v /usr/bin/hostname:/usr/bin/hostname -ti fedora hostname 3ac978bc84be |PS1="\h$ " Should give you what you want # podman run -ti fedora sh sh-4.4# PS1="\h# " 9007d2f699fb# exit # But I think this would need to be added to the .bashrc or .bash_profile inside of the container image you are running. | ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos docker which repo (centos or docker)
On 12/27/18 6:48 AM, Yamaban wrote: > On Thu, 27 Dec 2018 11:56 CET, ralf.prengel@... wrote: > >> My question: >> >> Should I use docker from the standard repo or the version from the >> docker-repo? > > Main diff between std-repo and docker-repo: > > std-repo: > works. stable. not the newest, shiniest version, but one that works. > > docker-repo: > works most of the time mostly, has sometimes a erratic or > memory-eating > behavior, the newest, most feature-rich, shiniest version, with all > the > bugs of new-new-new. > > It's a matter of choose your poision. If you are happy with the features > of the std-repo version, imho stay with it. > > That's my exp. Yours may differ. Others should speak up, too, please. > > - Yamaban. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos You could also take a look at `podman`. As an daemonless alternative to Docker. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos7 & Selinux & Tor
On 10/23/18 2:49 PM, Robin Lee wrote:
> On Sun, 2018-10-14 at 20:13 +0200, Robin Lee wrote:
>> I've just encountered a problem starting tor. When I do 'systemctl
>> start tor' it fails and I get selinux errors in the log. There was
>> suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'.
>> Which I did and it gave the following
>>
>> type=PROCTITLE msg=audit(1539540150.692:60570):
>> proctitle=2F7573722F62696E2F746F72002D2D72756E61736461656D6F6E0030002
>> D2
>> D64656661756C74732D746F727263002F7573722F73686172652F746F722F64656661
>> 75
>> 6C74732D746F727263002D66002F6574632F746F722F746F727263002D2D766572696
>> 67
>> 92D636F6E666967
>>
>> type=PATH msg=audit(1539540150.692:60570): item=0
>> name="/var/lib/tor/hidden_service/" inode=201616393 dev=fd:02
>> mode=040700 ouid=494 ogid=490 rdev=00:00
>> obj=system_u:object_r:tor_var_lib_t:s0 objtype=NORMAL
>> cap_fp= cap_fi= cap_fe=0 cap_fver=0
>>
>> type=CWD msg=audit(1539540150.692:60570): cwd="/"
>>
>> type=SYSCALL msg=audit(1539540150.692:60570): arch=c03e syscall=2
>> success=no exit=-13 a0=562d3767da80 a1=2 a2=0 a3=1 items=1 ppid=1
>> pid=18283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tor"
>> exe="/usr/bin/tor"
>> subj=system_u:system_r:tor_t:s0 key=(null)
>>
>> type=AVC msg=audit(1539540150.692:60570): avc: denied {
>> dac_read_search } for pid=18283 comm="tor"
>> capability=2 scontext=system_u:system_r:tor_t:s0
>> tcontext=system_u:system_r:tor_t:s0 tclass=capability
>>
>> type=AVC msg=audit(1539540150.692:60570): avc: denied {
>> dac_override
>> } for pid=18283 comm="tor"
>> capability=1 scontext=system_u:system_r:tor_t:s0
>> tcontext=system_u:system_r:tor_t:s0 tclass=capability
>>
>> So I had a look at the permissions for /var/lib/tor/hidden_service/
>> and
>> they were
>>
>> drwx--. toranon toranon system_u:object_r:tor_var_lib_t:s0
>> hidden_service
> Still trying to figure out this selinux issue :(
>
> Perhaps somebody could point me to the best mailing list/forum/tracker
> for this kind of issue?
Most likely this is tor running as root and trying to access this file.
> Cheers
> Robin
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Type enforcement / mechanism not clear
On 09/10/2018 09:41 AM, Leon Fauster via CentOS wrote:
Am 09.09.2018 um 16:19 schrieb Daniel Walsh :
On 09/09/2018 09:43 AM, Leon Fauster via CentOS wrote:
Am 09.09.2018 um 14:49 schrieb Daniel Walsh :
On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
Any SElinux expert here - briefly:
# getenforce
Enforcing
# sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
# sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t
# ls -laZ /etc/sysctl.conf /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:system_conf_t:s0 /etc/sysctl.conf
# ausearch -m avc --start recent
type=SYSCALL msg=audit(1536457230.922:85): arch=c03e syscall=6 success=no exit=-13
a0=7fff6460dcf0 a1=7fff6460dbe0 a2=7fff6460dbe0 a3=11 items=0 ppid=1362 pid=1364 auid=4294967295
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0
key=(null)
type=AVC msg=audit(1536457230.922:85): avc: denied { getattr } for pid=1364
comm="php-fpm" path="/etc/rsyslog.conf" dev=dm-0 ino=138287
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
My test PHP script can read /etc/sysctl.conf but not /etc/rsyslog.conf. For both
no rule are found (sesearch above). So, why the script can read sysctl.conf?
Because almost no apache servers would normally be walking through /etc reading
configuration files. Do you scripts actually need to read these config files?
Normally, sure - but a malicious developer (or attacker) will do. So, I'm
evaluating different
approaches to secure our platform. Its possible to limit fs access in PHP but
this comes with
a massive performance penalty.
Well, I do not want to discuss that all "etc_t" files can be read but why
sysctl.conf with "system_conf_t" type can be read where it shouldn't??
Any pointer would be greatly appreciated.
We allow apache and all domains to read all of what we define as
base_ro_file_type types.
sesearch -A -s httpd_t -t system_conf_t -p read
allow domain base_ro_file_type:dir { getattr ioctl lock open read search };
allow domain base_ro_file_type:file { getattr ioctl lock open read };
allow domain base_ro_file_type:lnk_file { getattr read };
allow httpd_t base_ro_file_type:file { execute execute_no_trans getattr ioctl
lock map open read };
The base_ro_file_types are files executables that we consider part of the OS.
So reading them should not reveal secrets.
Thanks for the pointer. Puuh, this gets very layered but the big picture on the
other side gets more clear
So, to get a list of files that are allowed to be read, the masking attributes
must be resolved:
# sesearch -ACR -s httpd_t -p read | grep -v "_t " | head -7
You could add a -c file to the above to only look at `class files`
Found 694 semantic av rules:
allow domain tmpfile : file { ioctl read getattr lock append } ;
allow domain configfile : file { ioctl read getattr lock open } ;
allow domain configfile : dir { ioctl read getattr lock search open } ;
allow domain configfile : lnk_file { read getattr } ;
allow domain rpm_transition_domain : fifo_file { ioctl read write getattr
lock append } ;
allow domain base_ro_file_type : file { ioctl read getattr lock open } ;
Looking for sysctl.conf's type :
# for m in tmpfile configfile rpm_transition_domain base_ro_file_type ; do echo
${m}:$(seinfo -a${m} -x |grep system_conf_t) ; done
tmpfile:
configfile: system_conf_t
rpm_transition_domain:
base_ro_file_type: system_conf_t
If the output of sesearch shows the preferred order then the "configfile"
attribute allows actually the access ??
If you feel that these files should not be part of the base_ro_files then we
should open that for discussion.
Despite this concrete case, a good practice is the one that follows the "need to
known" principle.
I will "disable" some read access here locally and accumulate some experiences
with this approach.
--
LF
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Type enforcement / mechanism not clear
On 09/09/2018 09:43 AM, Leon Fauster via CentOS wrote:
Am 09.09.2018 um 14:49 schrieb Daniel Walsh :
On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
Any SElinux expert here - briefly:
# getenforce
Enforcing
# sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
# sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t
# ls -laZ /etc/sysctl.conf /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:system_conf_t:s0 /etc/sysctl.conf
# ausearch -m avc --start recent
type=SYSCALL msg=audit(1536457230.922:85): arch=c03e syscall=6 success=no exit=-13
a0=7fff6460dcf0 a1=7fff6460dbe0 a2=7fff6460dbe0 a3=11 items=0 ppid=1362 pid=1364 auid=4294967295
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0
key=(null)
type=AVC msg=audit(1536457230.922:85): avc: denied { getattr } for pid=1364
comm="php-fpm" path="/etc/rsyslog.conf" dev=dm-0 ino=138287
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
My test PHP script can read /etc/sysctl.conf but not /etc/rsyslog.conf. For both
no rule are found (sesearch above). So, why the script can read sysctl.conf?
Because almost no apache servers would normally be walking through /etc reading
configuration files. Do you scripts actually need to read these config files?
Normally, sure - but a malicious developer (or attacker) will do. So, I'm
evaluating different
approaches to secure our platform. Its possible to limit fs access in PHP but
this comes with
a massive performance penalty.
Well, I do not want to discuss that all "etc_t" files can be read but why
sysctl.conf with "system_conf_t" type can be read where it shouldn't??
Any pointer would be greatly appreciated.
--
LF
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
We allow apache and all domains to read all of what we define as
base_ro_file_type types.
sesearch -A -s httpd_t -t system_conf_t -p read
allow domain base_ro_file_type:dir { getattr ioctl lock open read search };
allow domain base_ro_file_type:file { getattr ioctl lock open read };
allow domain base_ro_file_type:lnk_file { getattr read };
allow httpd_t base_ro_file_type:file { execute execute_no_trans getattr
ioctl lock map open read };
The base_ro_file_types are files executables that we consider part of
the OS. So reading them should not reveal secrets. If you feel that
these files should not be part of the base_ro_files then we should open
that for discussion.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Type enforcement / mechanism not clear
On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:
Any SElinux expert here - briefly:
# getenforce
Enforcing
# sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
# sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t
# ls -laZ /etc/sysctl.conf /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:system_conf_t:s0 /etc/sysctl.conf
# ausearch -m avc --start recent
type=SYSCALL msg=audit(1536457230.922:85): arch=c03e syscall=6 success=no exit=-13
a0=7fff6460dcf0 a1=7fff6460dbe0 a2=7fff6460dbe0 a3=11 items=0 ppid=1362 pid=1364 auid=4294967295
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0
key=(null)
type=AVC msg=audit(1536457230.922:85): avc: denied { getattr } for pid=1364
comm="php-fpm" path="/etc/rsyslog.conf" dev=dm-0 ino=138287
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
My test PHP script can read /etc/sysctl.conf but not /etc/rsyslog.conf. For both
no rule are found (sesearch above). So, why the script can read sysctl.conf?
--
Thanks,
LF
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Because almost no apache servers would normally be walking through /etc
reading configuration files. Do you scripts actually need to read these
config files?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux question
On 08/21/2018 12:27 PM, Nataraj wrote:
I have a web application which uses sudo to invoke python scripts as the
user under which the application runs (NO root access). Is there any
reason why sudo would would require sys_ptrace access for this? I only
get this violation intermittenly, and not with every call to sudo.
Here's the violation:
Most likely you can just dontaudit this access. sys_ptrace is often
caused by processes trying to read content in /proc.
Summary:
SELinux is preventing sudo (httpd_t) "sys_ptrace" to (httpd_t).
Detailed Description:
SELinux denied access requested by sudo. It is not expected that this access is
required by sudo and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Contextsystem_u:system_r:httpd_t
Target Contextsystem_u:system_r:httpd_t
Target ObjectsNone [ capability ]
Sourcesudo
Source Path /usr/bin/sudo
Port
Host myhost.mydomain.com
Source RPM Packages sudo-1.7.2p1-29.el5_10
Target RPM Packages
Policy RPMselinux-policy-2.4.6-351.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing ModeEnforcing
Plugin Name catchall
Host Name myhost.mydomain.com
Platform Linux myhost.mydomain.com 2.6.18-419.el5 #1 SMP
Fri Feb
24 22:06:09 UTC 2017 i686 i686
Alert Count 359
First SeenTue Oct 8 09:24:50 2013
Last Seen Tue Aug 21 10:26:26 2018
Local ID 717eb9a4-cc7f-4ed1-b638-5db1a841abe4
Line Numbers
Raw Audit Messages
host=myhost.mydomain.com type=AVC msg=audit(1534872386.726:9642): avc: denied {
sys_ptrace } for pid=8458 comm="sudo" capability=19
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0
tclass=capability
host=myhost.mydomain.com type=SYSCALL msg=audit(1534872386.726:9642): arch=4003 syscall=3
success=yes exit=166 a0=1a a1=b7ff4000 a2=400 a3=89cabf0 items=0 ppid=8979 pid=8458 auid=4294967295
uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:httpd_t:s0 key=(null)
Thank You,
Nataraj
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Unable to access network from docker container
On 04/06/2018 03:50 PM, H wrote: On April 5, 2018 4:49:57 PM EDT, H wrote: I have recently installed docker and playing around with it. On a CentOS 7 machine, however, I am unable to get access to the outside internet, thus yum ... fails. The host machine runs fine. I am wondering if there are some networking setting on the host I need to modify to allow the docker container to connect to the outside? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Resolved the issue by rebooting the computer but had to do that again later today. Does anyone have experience with docker under Centos 7? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Lots of people have experience, and it works well. I believe the issue you are seeing, is that the Firewall rules are being modified and something is removing the rule that Docker adds to allow containers to use the host machines network interface. When you reboot and restart the Docker daemon and the container, the network is correct again, but some tool (Firewalld) or something else is mucking around with the iptables. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] more selinux problems ...
On 09/23/2017 08:37 AM, hw wrote:
Hi,
how do I allow lighttpd access to a directory like this:
dr-xrwxr-x. lighttpd example unconfined_u:object_r:samba_share_t:s0
files_articles
I tried to create and install a selinux module, and it didn´t work.
The non-working module can not be removed, either:
semodule -r lighttpd-files_articles.pp
libsemanage.semanage_direct_remove_key: Unable to remove module
lighttpd-files_articles.pp at priority 400. (No such file or directory).
semodule: Failed!
Currently, only read access is required. Write access may be
required later.
type=AVC msg=audit(1506168999.456:2350): avc: denied { getattr }
for pid=28956 comm="lighttpd"
path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5"
dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1506168999.456:2350): arch=c03e syscall=4
success=yes exit=0 a0=55eea817ec80 a1=7ffe668ef300 a2=7ffe668ef300
a3=7ffe668ef270 items=0 ppid=1 pid=28956 auid=4294967295 uid=996
gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994
tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1506168999.456:2351): avc: denied { open } for
pid=28956 comm="lighttpd"
path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5"
dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1506168999.456:2351): arch=c03e syscall=2
success=yes exit=9 a0=55eea817ec80 a1=0 a2=3e a3=7ffe668ef270 items=0
ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996
fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295
comm="lighttpd" exe="/usr/sbin/lighttpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1506168723.591:2342): avc: denied { read } for
pid=28956 comm="lighttpd" name="C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5"
dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1506168723.591:2342): arch=c03e syscall=2
success=no exit=-13 a0=55eea817ec80 a1=0 a2=3e a3=7ffe668ef2a0 items=0
ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996
fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295
comm="lighttpd" exe="/usr/sbin/lighttpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
Why isn´t there a simple way to allow access to files as needed?
Being like this, selinux is entirely unmanagable. Does it even do
any more good than it keeps getting in the way?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
SELinux is a labelling system, every process has a label, every object
on the system has a label. There are rules in the kernel that allow
access between process labels and system object labels, the kernel
enforces the rules.
Some how this content on your system. /srv/data/files_articles, got
labeled as samba content (samba_share_t). Now you want to share it via
lighthttp (httpd_t). If this content is only to be shared via
lighthttpd, you would need to set the label to something that httpd_t
can read.
man http_selinux (selinux-policy-docs rpm)
Will show you the labels.
httpd_sys_content_t is the usually type for httpd read only content.
httpd_sys_content_rw_t is the type for read/write content.There are
commands in the man page that explain how to change the default labels.
If you need to share this content via httpd and samba there are a couple
of label types public_content_t, which allow you to share content with
multiple services. Also explained in the man page.
audit2allow is usually a secondary thing to use when there is no way to
allow access.
http://danwalsh.livejournal.com/30837.html
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux prevents lighttpd from printing
On 09/22/2017 08:24 AM, hw wrote:
Daniel Walsh wrote:
On 09/22/2017 06:58 AM, hw wrote:
PS: Now I found this:
type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) :
proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64
syscall=setgroups success=no exit=EPERM(Operation not permitted)
a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417
pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root
fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none)
ses=unset comm=sendmail exe=/usr/sbin/exim
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied {
setgid } for pid=19418 comm=sendmail capability=setgid
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64
syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0
a3=0x9 items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd
gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd
egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset
comm=lpr exe=/usr/bin/lpr.cups
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied {
open } for pid=27633 comm=lpr path=/etc/cups/lpoptions dev="sdb2"
ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied {
read } for pid=27633 comm=lpr name=lpoptions dev="sdb2" ino=153957
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
So I can see that sending email and printing was denied -- which I
already
found out --- and I don´t have any idea how to allow it.
hw wrote:
Johnny Hughes wrote:
On 09/20/2017 07:19 AM, hw wrote:
hw wrote:
Hi,
how do I allow CGI programs to print (using 'lpr -P some-printer
some-file.pdf') when
lighttpd is being used for a web server?
When selinux is permissive, the printer prints; when it´s
enforcing,
the printer
does not print, and I´m getting the log message '/bin/lpr:
Permission
denied'.
'getsebool -a | grep http' doesn´t show any boolean I could make
out
to be responsible
for this.
Any idea what I need to do/change to allow printing without
disabling
selinux?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Nobody knows?
Look in your audit logs while in permissive mode and you should
see the
issue in there, the wiki has details:
https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b
Thanks! I´m guessing I´m supposed to use ausearch to search for
something, and
I don´t know what to search for.
So far, lighttpd can not print and can not send emails (using
MIME::Lite) unless
selinux is permissive. Using
'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'
, I only get
type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) :
proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64
syscall=open success=no exit=EACCES(Permission denied)
a0=0x559fc8094740
a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644
a3=0x7 items=0 ppid=1 pid=14081 auid=unset uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) ses=unset comm=lighttpd exe=/usr/sbin/lighttpd
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc: denied {
write } for pid=14081 comm=lighttpd name=www dev="sda2" ino=64608
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
Any idea what I would need to search for, or how to figure out what
I would
need to allow?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
First thing to enable httpd to send mail, you can turn on the send
mail boolean.
# setsebool -P httpd_can_sendmail 1
Oh I looked at these variables and somehow didn´t see it.
The ability to print you would need to add custom rules.
# grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint
# semodule -i myprint.pp
If you get another failure on lpt, you might have to run these
commands a couple of times.
Thank you very much! Both problems are now fixed :)
However:
grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint
could not open inter
Re: [CentOS] selinux prevents lighttpd from printing
On 09/22/2017 06:58 AM, hw wrote:
PS: Now I found this:
type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) :
proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64
syscall=setgroups success=no exit=EPERM(Operation not permitted)
a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417
pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root
fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none)
ses=unset comm=sendmail exe=/usr/sbin/exim
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied {
setgid } for pid=19418 comm=sendmail capability=setgid
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64
syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0
a3=0x9 items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd
gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd
sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=lpr
exe=/usr/bin/lpr.cups subj=system_u:system_r:httpd_sys_script_t:s0
key=(null)
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied {
open } for pid=27633 comm=lpr path=/etc/cups/lpoptions dev="sdb2"
ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied {
read } for pid=27633 comm=lpr name=lpoptions dev="sdb2" ino=153957
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
So I can see that sending email and printing was denied -- which I
already
found out --- and I don´t have any idea how to allow it.
hw wrote:
Johnny Hughes wrote:
On 09/20/2017 07:19 AM, hw wrote:
hw wrote:
Hi,
how do I allow CGI programs to print (using 'lpr -P some-printer
some-file.pdf') when
lighttpd is being used for a web server?
When selinux is permissive, the printer prints; when it´s enforcing,
the printer
does not print, and I´m getting the log message '/bin/lpr: Permission
denied'.
'getsebool -a | grep http' doesn´t show any boolean I could make out
to be responsible
for this.
Any idea what I need to do/change to allow printing without disabling
selinux?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Nobody knows?
Look in your audit logs while in permissive mode and you should see the
issue in there, the wiki has details:
https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b
Thanks! I´m guessing I´m supposed to use ausearch to search for
something, and
I don´t know what to search for.
So far, lighttpd can not print and can not send emails (using
MIME::Lite) unless
selinux is permissive. Using
'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'
, I only get
type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) :
proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64
syscall=open success=no exit=EACCES(Permission denied)
a0=0x559fc8094740
a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7
items=0 ppid=1 pid=14081 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=lighttpd exe=/usr/sbin/lighttpd
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc: denied {
write } for pid=14081 comm=lighttpd name=www dev="sda2" ino=64608
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
Any idea what I would need to search for, or how to figure out what I
would
need to allow?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
First thing to enable httpd to send mail, you can turn on the send mail
boolean.
# setsebool -P httpd_can_sendmail 1
The ability to print you would need to add custom rules.
# grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint
# semodule -i myprint.pp
If you get another failure on lpt, you might have to run these commands
a couple of times.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] weird SELinux denial
On 06/06/2017 01:19 PM, Vanhorn, Mike wrote:
On 6/6/17, 12:38 PM, "Daniel Walsh" wrote:
I am asking if you run it again, does it change. If the boolean is set
the audit2why should say that the AVC is allowed.
Well, if I just run audit2why again, it always tells me the same thing.
However, I have now discovered that if I unset allow_ypbind, and then reset it
to 1, audit2why then says
type=AVC msg=audit(1496768649.872:1338): avc: denied { name_connect } for pid=2413
comm="dbus-daemon" dest=111
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which
the audit message was generated.
Possible mismatch between current in-memory boolean settings
vs. permanent ones.
---
Mike VanHorn
Senior Computer Systems Administrator
College of Engineering and Computer Science
Wright State University
265 Russ Engineering Center
937-775-5157
michael.vanh...@wright.edu
Ok, that works then. The way I read your email indicated that setting
the boolean did not allow the access. I take it you are not running
with NIS/Yellow pages and yet you see dbus connecting to port 111?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] weird SELinux denial
On 06/06/2017 09:41 AM, Vanhorn, Mike wrote: It says what it is my original post; that’s the output from audit2allow –w (which is audit2why): Was caused by: The boolean allow_ypbind was set incorrectly. Description: Allow system to run with NIS Allow access by executing: # setsebool -P allow_ypbind 1 --- Mike VanHorn Senior Computer Systems Administrator College of Engineering and Computer Science Wright State University 265 Russ Engineering Center 937-775-5157 michael.vanh...@wright.edu On 6/6/17, 9:29 AM, "Daniel Walsh" wrote: If you run this avc though audit2why what does it say? I am asking if you run it again, does it change. If the boolean is set the audit2why should say that the AVC is allowed. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] weird SELinux denial
On 06/06/2017 09:17 AM, Vanhorn, Mike wrote:
I keep seeing this in my audit.logs:
type=AVC msg=audit(1496336600.230:6): avc: denied { name_connect } for pid=2411
comm="dbus-daemon" dest=111
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
Was caused by:
The boolean allow_ypbind was set incorrectly.
Description:
Allow system to run with NIS
Allow access by executing:
# setsebool -P allow_ypbind 1
The weirdness is that when I check allow_ypbind, it’s already on:
# getsebool allow_ypbind
allow_ypbind --> on
#
Does anyone with more experience with SELinux than me have any idea why this is
happening?
---
Mike VanHorn
Senior Computer Systems Administrator
College of Engineering and Computer Science
Wright State University
265 Russ Engineering Center
937-775-5157
michael.vanh...@wright.edu
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
If you run this avc though audit2why what does it say?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[CentOS] Disabling user list in Gnome
Hello, how can I disable user list that has been logged, at least, one time into X environment in Gnome running Centos 7? Thanks. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Lock Screen in Gnome and using keyboard
Hello, I need to reconfigure Gnome in CentOS for avoiding that a normal user could lock screen using task bar option and/or "Super L" key (Windows Key + L). How could I configure Gnome? I need to do that in several computers, so I can't do "login" in X environment of each computer, but I need to reconfigure executing from command line (multiple SSH connections). Thanks. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-5 End of Life
On 03/01/2017 09:52 AM, Johnny Hughes wrote: > On 03/01/2017 05:28 AM, Johnny Hughes wrote: >> Just a message to remind everyone that CentOS-5 has an End of Life date >> of March 31, 2017. >> >> This means that there will be no new security updates released by Red >> Hat for RHEL-5 after that date. > This is for their main RHEL-5 Tree. > >> Sometime in early April, the current 5.11 tree will be moved onto >> vault.centos.org (like CentOS-3 and CentOS-4 have been since their EOL). >> > For CentOS-5 users that can not shift from EL5 workloads, Red Hat does > offer EUS (Extended Update Support) past the 10 year point for RHEL-5. > You can see this link for more info on EL5 EUS support: > > > https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux Actually it's called ELS - Extended Lifecycle support https://access.redhat.com/support/policy/updates/errata EUS - Extended Update Support is an add-on for RHEL customers that need patches and updates for Minor releases of RHEL for up to 24 months from GA. > > Thanks, > Johnny Hughes > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos -- Daniel J. Pacek Strategic Market Analyst Red Hat, Inc. 314 Littleton Rd. Westford, MA 01886 dpa...@redhat.com Tel: 978-392-3138 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELInux conflict with Postfixadmin
On 02/21/2017 11:52 AM, Robert Moskowitz wrote:
>
>
> On 02/21/2017 11:46 AM, Zdenek Sedlak wrote:
>> On 2017-02-21 17:30, Robert Moskowitz wrote:
>>> postfixadmin setup.php is claiming:
>>>
>>> *Error: Smarty template compile directory templates_c is not writable.*
>>> *Please make it writable.*
>>> *If you are using SELinux or AppArmor, you might need to adjust their
>>> setup to allow write access.*
>>>
>>>
>>> This goes away with 'setenforce 0', so it is an SELinux issue. I have
>>> tried both:
>>>
>>> restorecon -Rv /usr/share/postfixadmin
>>>
>>> and
>>>
>>> chcon -R -t httpd_sys_content_t /usr/share/postfixadmin
>>>
>>> and they are not the problem. Googling this message doe snot produce
>>> any SELinux advice.
>>>
>>> Any ideas?
>>>
>>> thanks
>>>
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> Hi,
>>
>> after 'setenforce 0' check the /var/log/audit/audit.log:
>>
>> # grep /var/log/audit/audit.log | audit2why
>
> Don't I need a search string in that grep command?
>
>> to see where the problem could be.
>
> Anyway the last three entries are:
>
> type=AVC msg=audit(1487695678.704:128): avc: denied { write } for
> pid=2055 comm="httpd" name="templates_c" dev="sda3" ino=786958
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
> permissive=1
>
If you want to allow apache processes to write to the templates_c
directory you need to label it httpd_sys_content_rw_t.
> type=SYSCALL msg=audit(1487695678.704:128): arch=4028 syscall=33
> per=80 success=yes exit=0 a0=813c3ed0 a1=2 a2=0 a3=0 items=0
> ppid=2053 pid=2055 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
> key=(null)
>
> type=PROCTITLE msg=audit(1487695678.704:128):
> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Script not running correctly as cronjob
Thank you for the hints
I modified like you described.
I also moved the permission part out of the loop (once at the end of the script
is enough).
Now with the "set -x" the script is working also in cron.
Best regards
Daniel
-Original Message-
From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Tony Mountifield
Sent: Wednesday, February 1, 2017 11:04 AM
To: centos@centos.org
Subject: Re: [CentOS] Script not running correctly as cronjob
In article <86827d81f1944333ae213f2d3f198...@2sic.com>,
Daniel Reich wrote:
> Hi
>
> I have a script to resign all DNS zones every two weeks. When i run
> the script from bash, it works like it should. But when it is executed in
> cron not. Its starting normal as cronjob:
> Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh
> /opt/dnssec/resign_dnssec_zones.sh)
>
> But after i get a mail that everything is finsihed, but it isn't.
> 03:04:28 DNSSEC-Signierung abgeschlossen
>
> The script deletes the old signed zones, but don't resign it. The mail is
> also sent.
> Below the script.
>
> Anybody an idea why it doesn't work in cron?^ I cannot find any error
> in any log.
After the first line, add a line saying: set -x
Then set cron to run it and examine the output that gets mailed to you.
The -x tells it to echo each command it is about to execute. That will help you
to see how far it is getting.
Further comments below.
Cheers
Tony
> Best regards
> Daniel
>
>
> #!/bin/bash
> KSKDIR="/etc/named/KSK"
> ZSKDIR="/etc/named/ZSK"
> ZONEDIR="/var/named/chroot/var/named"
> LOG="/var/named/chroot/var/log/dnssec_resign.log"
> MAILREC="monitor@xx"
>
> #delete old signed files
> rm -rf $ZONEDIR/*.signed
>
> #delete the old log
> rm -rf $LOG
>
> #read the zonefiles
> ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
>
> for FILES in $ZONEFILES; do
> #remove the .zone at the end
> ZONE=$(echo "${FILES%.*}")
Why not just: ZONE=${FILES%.*}
> #remove the old signed zone
> rm -rf $ZONEDIR/$ZONE.signed
You deleted them all further up.
> #Sign the zone
> cd $ZONEDIR
Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere.
> dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000
> -f $ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG
>
> #Set the correct permissions
> chown named.named $ZONEDIR/*.signed
> chmod 755 $ZONEDIR/*.signed
> sleep 5
> done
> rm -rf $ZONEDIR/named.zone
>
> echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des
> Servers" >> $LOG echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung
> abgeschlossen auf xxx" $MAILREC
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
--
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[CentOS] Script not running correctly as cronjob
Hi
I have a script to resign all DNS zones every two weeks. When i run the script
from bash, it works like it should. But when it is executed in cron not. Its
starting normal as cronjob:
Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh
/opt/dnssec/resign_dnssec_zones.sh)
But after i get a mail that everything is finsihed, but it isn't.
03:04:28 DNSSEC-Signierung abgeschlossen
The script deletes the old signed zones, but don't resign it. The mail is also
sent.
Below the script.
Anybody an idea why it doesn't work in cron?^
I cannot find any error in any log.
Best regards
Daniel
#!/bin/bash
KSKDIR="/etc/named/KSK"
ZSKDIR="/etc/named/ZSK"
ZONEDIR="/var/named/chroot/var/named"
LOG="/var/named/chroot/var/log/dnssec_resign.log"
MAILREC="monitor@xx"
#delete old signed files
rm -rf $ZONEDIR/*.signed
#delete the old log
rm -rf $LOG
#read the zonefiles
ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
for FILES in $ZONEFILES; do
#remove the .zone at the end
ZONE=$(echo "${FILES%.*}")
#remove the old signed zone
rm -rf $ZONEDIR/$ZONE.signed
#Sign the zone
cd $ZONEDIR
dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f
$ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG
#Set the correct permissions
chown named.named $ZONEDIR/*.signed
chmod 755 $ZONEDIR/*.signed
sleep 5
done
rm -rf $ZONEDIR/named.zone
echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des Servers" >>
$LOG
echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung abgeschlossen auf xxx" $MAILREC
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux upgrade
On 01/19/2017 08:57 AM, Marcin Trendota wrote: > W dniu 19.01.2017 o 14:54, Johnny Hughes pisze: > >>> So, it looks like something with docker-selinux and container-selinux... >> Right, I wanted to mention that docker-selinux was replaced with >> container-selinux in the lasest version. > Shouldn't be docker-selinux automatically removed then? > container-selinux should disable docker policy and then install its own. container-selinux-1.12.5-14 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] username.pem
Best label available I can see is sshd_var_run_t. Not exactly named
well but it would work.
chcon -R -t sshd_var_run_t /var/lib/ssh-x509-auth
On 04/26/2016 11:31 AM, m.r...@5-cent.us wrote:
Hi, folks,
Our system gets/creates /var/lib/ssh-x509-auth/,pem, then
deletes it when the log out. selinux (in permissive mode) complains.
First, I changed the context to cert_t, and *now* it complains that
ksh93 wants write, etc access on the directory. grep ssh-x509-auth
/var/log/audit/audit.log | audit2allow offers me this:
#= sshd_t ==
allow sshd_t cert_t:dir write;
allow sshd_t var_lib_t:file { write getattr create open ioctl };
So: first, is this an expected behavior; second, is that the correct
fcontext, and, finally, is it safe for me to create this as a local
policy?
Thanks in advance.
mark
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, selinux issue
Can you attach one of the AVC's. Mos likely ssh-x509-auth needs to be labeled sshd_key_t or ssh_home_t On 04/06/2016 02:54 PM, m.r...@5-cent.us wrote: I'm seeing a lot of noise in the logs, to the effect of: setroubleshoot: SELinux is preventing /bin/ksh93 from write access on the directory /var/lib/ssh-x509-auth as well as others related to find, cat, etc on .pem's in that directory. Is this a policy bug, or just no policy covering this? mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] NICs order
Hi,
After installing CentOS 7 in a server with 2 NICs, system detects eth0
and eth1 in reserve order. I would like to have eth1 as eth0 and eth0 as
eth1. I have forced HWADDR attribute in
/etc/sysconfig/network-scripts/ifcfg-etc{0,1}, but after rebooting,
order is the same...
How can I solve it?
Thanks.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6.6 - reshape of RAID 6 is stucked
Hello I have a CentOS 6.6 Server with 13 disks in a RAID 6. Some weeks ago, i upgraded it to 17 disks, two of them configured as spare. The reshape worked like normal in the beginning. But at 69% it stopped. md2 : active raid6 sdj1[0] sdg1[18](S) sdh1[2] sdi1[5] sdm1[15] sds1[12] sdr1[14] sdk1[9] sdo1[6] sdn1[13] sdl1[8] sdd1[20] sdf1[19] sdq1[16] sdb1[10] sde1[17](S) sdc1[21] 19533803520 blocks super 1.2 level 6, 1024k chunk, algorithm 2 [15/15] [UUU] [=>...] reshape = 69.0% (1347861324/1953380352) finish=46103134.8min speed=0K/sec I already tried to stop the raid and start it again, the reshape will start but stop again after some minutes. If I reboot the server, the reshape won't start: md2 : active raid6 sdj1[0] sdg1[18](S) sdh1[2] sdi1[5] sdm1[15] sds1[12] sdr1[14] sdk1[9] sdo1[6] sdn1[13] sdl1[8] sdd1[20] sdf1[19] sdq1[16] sdb1[10] sde1[17](S) sdc1[21] 19533803520 blocks super 1.2 level 6, 1024k chunk, algorithm 2 [15/15] [UUU] resync=PENDING Just if I restart the raid again, it will start the reshape process and stop it like above. In dmesg and messages logs I just found: dmesg md/raid:md2: reshape: not enough stripes. Needed 1024 messages 23:14:56 data kernel: md/raid:md2: not clean -- starting background reconstruction 23:14:56 data kernel: md/raid:md2: reshape will continue 23:14:56 data kernel: md/raid:md2: device sdj1 operational as raid disk 0 23:14:56 data kernel: md/raid:md2: device sdh1 operational as raid disk 2 23:14:56 data kernel: md/raid:md2: device sdi1 operational as raid disk 5 23:14:56 data kernel: md/raid:md2: device sdn1 operational as raid disk 11 23:14:56 data kernel: md/raid:md2: device sds1 operational as raid disk 3 23:14:56 data kernel: md/raid:md2: device sdm1 operational as raid disk 1 23:14:56 data kernel: md/raid:md2: device sdf1 operational as raid disk 14 23:14:56 data kernel: md/raid:md2: device sdd1 operational as raid disk 13 23:14:56 data kernel: md/raid:md2: device sdb1 operational as raid disk 10 23:14:56 data kernel: md/raid:md2: device sdq1 operational as raid disk 7 23:14:56 data kernel: md/raid:md2: device sdr1 operational as raid disk 4 23:14:56 data kernel: md/raid:md2: device sdl1 operational as raid disk 8 23:14:56 data kernel: md/raid:md2: device sdk1 operational as raid disk 9 23:14:56 data kernel: md/raid:md2: device sdc1 operational as raid disk 12 23:14:56 data kernel: md/raid:md2: device sdo1 operational as raid disk 6 23:14:56 data kernel: md/raid:md2: allocated 0kB 23:14:56 data kernel: md/raid:md2: raid level 6 active with 15 out of 15 devices, algorithm 2 23:14:56 data kernel: md2: Warning: Device sdi1 is misaligned 23:14:56 data kernel: md2: detected capacity change from 0 to 20002614804480 23:14:56 data kernel: md2: unknown partition table 23:14:56 data kernel: XFS (md2): Mounting Filesystem 23:14:56 data kernel: md/raid:md2: reshape: not enough stripes. Needed 1024 23:14:56 data kernel: XFS (md2): Ending clean mount So i fixed the stripes: cat /sys/block/md2/md/stripe_cache_size 16384 But the reshape is still not working and the same error still appears in the logs. Have anyone some idea? Regards Daniel ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] puppet files denied by SELinux
I have no idea of the current dependency problem. I think your original problem was caused by mv'ing files from an nfs share to /etc which maintained the context. And SELinux prevented puppet from accessing nfs_t type. If you had just run restorecon on the object it would have set it back to the correct/default context. You might want to setup an alias mv "mv -Z" This changes the way mv works to set the context after mv rather then maintaining the source context. On 06/21/2015 02:05 PM, Tim Dunphy wrote: > Hey guys, > > Quick update. I grepped through the output of getsebool -a to see that > related to puppet. And I found this setting: puppetagent_manage_all_files. > > So I tried running this command: setsebool -P puppetagent_manage_all_files > 0 > > And did a restorecon on my modules directory: restorecon -R -v > environments/production/moudles > > So there's good news and bad news to report! It seems that now puppet on > the client isn't complaining about not having access to the cert and key > files anymore! That's the good news. The bad news is, when I do puppet runs > on all the hosts now, I get the following errors: > > Notice: /File[/var/lib/puppet/lib/facter/concat_basedir.rb]: Dependency > File[/var/lib/puppet/lib] has failures: true > Warning: /File[/var/lib/puppet/lib/facter/concat_basedir.rb]: Skipping > because of failed dependencies > Notice: /File[/var/lib/puppet/lib/facter/ssldir.rb]: Dependency > File[/var/lib/puppet/lib] has failures: true > Warning: /File[/var/lib/puppet/lib/facter/ssldir.rb]: Skipping because of > failed dependencies > Notice: > /File[/var/lib/puppet/lib/puppet/parser/functions/ensure_resource.rb]: > Dependency File[/var/lib/puppet/lib] has failures: true > Warning: > /File[/var/lib/puppet/lib/puppet/parser/functions/ensure_resource.rb]: > Skipping because of failed dependencies > Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/validate_re.rb]: > Dependency File[/var/lib/puppet/lib] has failures: true > Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/validate_re.rb]: > Skipping because of failed dependencies > Notice: /File[/var/lib/puppet/lib/puppet/reports/datadog_reports.rb]: > Dependency File[/var/lib/puppet/lib] has failures: true > Warning: /File[/var/lib/puppet/lib/puppet/reports/datadog_reports.rb]: > Skipping because of failed dependencies > Notice: > /File[/var/lib/puppet/lib/puppet/parser/functions/is_function_available.rb]: > Dependency File[/var/lib/puppet/lib] has failures: true > Warning: > /File[/var/lib/puppet/lib/puppet/parser/functions/is_function_available.rb]: > Skipping because of failed dependencies > Notice: > /File[/var/lib/puppet/lib/puppet/parser/functions/str2saltedsha512.rb]: > Dependency File[/var/lib/puppet/lib] has failures: true > Warning: > /File[/var/lib/puppet/lib/puppet/parser/functions/str2saltedsha512.rb]: > Skipping because of failed dependencies > Notice: > /File[/var/lib/puppet/lib/puppet/parser/functions/delete_undef_values.rb]: > Dependency File[/var/lib/puppet/lib] has failures: true > Warning: > /File[/var/lib/puppet/lib/puppet/parser/functions/delete_undef_values.rb]: > Skipping because of failed dependencies > Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/fqdn_rotate.rb]: > Dependency File[/var/lib/puppet/lib] has failures: true > Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/fqdn_rotate.rb]: > Skipping because of failed dependencies > Notice: /File[/var/lib/puppet/lib/facter/gemhome.rb]: Dependency > File[/var/lib/puppet/lib] has failures: true > Warning: /File[/var/lib/puppet/lib/facter/gemhome.rb]: Skipping because of > failed dependencies > Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/values_at.rb]: > Dependency File[/var/lib/puppet/lib] has failures: true > Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/values_at.rb]: > Skipping because of failed dependencies > Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/getvar.rb]: > Dependency File[/var/lib/puppet/lib] has failures: true > Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/getvar.rb]: > Skipping because of failed dependencies > Notice: /File[/var/lib/puppet/lib/puppet/provider/vcsrepo/cvs.rb]: > Dependency File[/var/lib/puppet/lib] has failures: true > Warning: /File[/var/lib/puppet/lib/puppet/provider/vcsrepo/cvs.rb]: > Skipping because of failed dependencies > Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/strftime.rb]: > Dependency File[/var/lib/puppet/lib] has failures: true > Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/strftime.rb]: > Skipping because of failed dependencies > Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/chop.rb]: > Dependency File[/var/lib/puppet/lib] has failures: true > Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/chop.rb]: > Skipping because of failed dependencies > Notice: /File[/var/lib/puppet/lib/puppet/util/firewall.rb]: Dependency > File[/var/lib/puppet/lib] has failures: true > Warn
Re: [CentOS] more newbie questions -- init 5 works, init 3 doesn't for "normal" users
On 06/11/2015 05:27 PM, m.r...@5-cent.us wrote: > Kay Schenk wrote: >> On 06/11/2015 08:28 AM, m.r...@5-cent.us wrote: >>> Kay Schenk wrote: On 06/10/2015 10:06 PM, Gordon Messmer wrote: > On 06/10/2015 05:25 PM, Kay Schenk wrote: >> I get /home/ not found when it's there and >> setup with correct permissions -- well here I am using it >> in run level 5 just fine! >>> > The file "startx.trace" will have a list of all of the > commands run, and all of their output (including errors). > > /var/log/X* might be interesting as well. OK, this last bit sounds promising although this works as expected for root -- starts up gnome flawlessly. My previous setup imported settings to use a display manager, etc. So, I need to check on this. Right now, one of my main concerns is that my old /home partition/direction is supposedly associated WITH current users I setup and yet...NOT! The system does not recognize this association even though it asked me about setting it up when I created my first real user on installation. I had to go in and reset uids but that's no biggie and this process has worked fine before. I can't help but think this is related to the startx issue. >>> I missed parts of this thread: are any of them mounted NFS? From root, >>> su >>> - user, and then do ls -laF, and check the ownership and group, >>> *including* of ./ (the current directory). >>> >>> I mention NFS because of issues we've been having here, but we're >>> connected to AD, and I need to fix /etc/idmapd.conf to have our domain. >> Thanks for everyone's help. It seems the not locating /home for users >> was related to startx problem. >> >> The /home partition in question had been an old one, ext3, and requested >> not to format. All that was well. Partition mounted, etc. Unfortunately, >> I had inadvertently installed selinux (OK, I saw that but didn't' >> understand the consequences) and this was what was causing my odd >> non-root user login behavior (couldn't locate /home) AND the startx >> problems from init 3 level. After talking to an RH admin colleague, all >> fine now. On to more fun items as I get up to speed on CentOS! :) >> > Check to see if the setroubleshoot package is installed. If not, do it. > It'll generate log entries with sealerts, which will help you figure out > how to shut up selinux Run it in permissive mode, in the meantime. > > mark "one of my permanent goals: shutting up selinux" > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos You probably want to execute # semanage fcontext -a -e /home /PATHTOYOURHOME # restorecon -R -v /PATHTOYOURHOME This tells SELinux to label content under /PATHTOYOURHOME as if it was under /home, and should fix most of your problems. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux allow apache log access
On 06/17/2015 04:03 PM, Jonathan Billings wrote: > On Wed, Jun 17, 2015 at 03:30:51PM -0400, Tim Dunphy wrote: >> No prob! Thanks for all the help! But in searching my system I don't find >> anything of the sort. >> >> [root@monitor2:~] #updatedb >> [root@monitor2:~] #locate myzabbix.te >> [root@monitor2:~] #find / -name "myzabbix.*" >> >> I also did search using 'yum provides' to find something similar. But >> wasn't' able to find anything. > What we're asking for is the contents of the .te file that is created > when you run audit2allow. > Go back to the original email and do what you were told # grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix # semodule -i myzabbix.pp You did audit2allow -M zabbix Which created zabbix.te and zabbix.pp, which is bad. It will attempt to replace the system module. If you use myzappix, it will add the allow rules. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Try II: selinux, xfs, and CentOS 6 and 5 issue
On 06/02/2015 11:30 AM, m.r...@5-cent.us wrote: > Tried just the selinux list yesterday, no answers, so I'm trying again. > > I partitioned GPT, and formatted, as xfs, a large (3TB) drive on a CentOS > 6 system, which has selinux in permissive mode. I then moved the drive to > a CentOS 5 system. When we run a copy (it mirror-copies from another > system), we get a ton of errors. I discovered that the CentOS 5 system was > enforcing. I changed it to permissive, I labelled the directories and > files w/ semanage, did a restorecon, and even did a fixfiles, and *then* I > tried /.autorelabel and rebooted, and we still get a ton of errors: > Jun 1 17:01:32 kernel: inode_doinit_with_dentry: > context_to_sid(unconfined_u:object_r:file_t:s0) returned 22 for dev=sdd1 > ino=2151541032 > > I had to reboot to disabled to get it to shut up. > > So: is there something that selinux does in CentOS 6 that is in the > labelling on the xfs filesystem that I can do something about on the > CentOS 5 system, or do I just have to leave selinux disabled (until, maybe > in the next year, we can rebuild to 7)? > >mark > > -- > selinux mailing list > seli...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux SELinux on RHEL5 did not have a MLS field in the label, so the directory can not be used by both rhel5 and RHEL6 easily. If all of the content on the device is going to be labeled the same, then just use a context mount option context="system_u:object_r:usr_t:s0" for example. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7 selinux policy bug
On 05/29/2015 09:20 AM, m.r...@5-cent.us wrote: > Hi, folks, > >CentOS 7.1. Selinux policy, and targetted, updated two days ago. > > May 28 17:02:41 python: SELinux is preventing /usr/bin/bash > from execute access on the file /usr/bin/bash.#012#012* <...> > May 28 17:02:45 python: SELinux is preventing /usr/bin/bash > from execute access on the file /usr/bin/uname.#012#012* <...> > May 28 17:02:45 python: SELinux is preventing /usr/bin/uname > from execute_no_trans access on the file /usr/bin/uname.#012#012* > <...> > May 28 17:02:47 python: SELinux is preventing /usr/bin/bash > from execute access on the file /usr/bin/mailx.#012#012* <...> > > I did do an ll =Z /usr/bin, and everything looks correct > (system_u:object_r:bin_t:s0). Given that, looks to me like a policy bug. > No? Yes? File a bug report? > > mark > > -- > selinux mailing list > seli...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux What is the avc that you are seeing? ausearch -m avc -ts recent ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SEmodule dependency hell.
You should be able to modify the definition of a port. Or create a new port type and modify the existing port to use it. http_port_t is just a name (type) that we can use to group a number of ports together. Sadly we do not separate the port types of incoming and outgoing connections. So if you confined httpd and firefox on the same machine it gets difficult to say firefox is allowed to connect to port 80,8080,8000 while your httpd service is only able to bind to port 8000, without defining new types and installing custom policy modules. On 04/02/2015 11:03 AM, Andrew Holway wrote: > File a bug!!! > > On 2 April 2015 at 16:20, James B. Byrne wrote: > >> On Wed, April 1, 2015 16:09, Andrew Holway wrote: >>> I used the command: semanage port -m -t http_port_t -p tcp 8000 >>> to relabel a port. perhaps you could try: >>> "semanage port -m -t unconfined_t -p tcp 8000" >>> Failing that; would it work to run your application in the httpd_t >>> domain? >>> >> I ended up having to create a custom policy to allow the other >> application to have access to the http_port_t context. Which is not >> an issue given that no httpd service is, or will ever be, installed on >> that host. >> >> However, it seems a rather dangerous hole in the logical design of >> SELinux that one cannot explicitly remove and reassign contexts to >> ports. In order to accomplish this on a system running httpd but >> attached to non-standard ports one perforce is required to cross link >> permissions between all of the affected processes. Which I cannot >> conceive as a security enhancement. >> >> >> -- >> *** E-Mail is NOT a SECURE channel *** >> James B. Byrnemailto:byrn...@harte-lyne.ca >> Harte & Lyne Limited http://www.harte-lyne.ca >> 9 Brockley Drive vox: +1 905 561 1241 >> Hamilton, Ontario fax: +1 905 561 0757 >> Canada L8E 3C3 >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] building RPMs with SELinux
On 01/22/2015 05:40 AM, Andrew Holway wrote: > Hello, > > Im trying to find some good info on building RPMs that set the correct > SELinux contexts for the installed packages. > > Any ideas? > > Thanks, > > Andrew > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos rpm should do this by itself. If the policy file is installed before the rpm is layed down. You could consider two package foobar-policy.rpm foobar.rpm then make foobar rely on foobar-policy.rpm But we usually install rpm in post install of the package and then run restorecon on the content. This presentation has some rpm examples. https://fedorapeople.org/~dwalsh/SELinux/Presentations/SummitSELinuxEnterprise.odp ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to prevent root from managing/disabling SELinux
On 01/23/2015 06:01 PM, Stephen Harris wrote: > At work I'm used to tools like eTrust Access Control (aka SEOS). eTrust > takes away the ability to manage the eTrust config from root and puts it > in the hands of "security admin". So there's a good separation of duties; > security admin control the security ruleset, but are limited by the OS > permissions (so even if they granted themselves permission to modify > /etc/shadow, the standard OS permissions would block them) and system admins > control the OS (so they can be root, but can't override eTrust). > > Ideally this type of separation would be useful in the SELinux world > as well. OK, maybe this is a bit of an overkill for my own machines, > but then I do have bastion hosts and internal segmented networking at > home; I do overkill at times :-) > > The problem is that I can't see how to prevent this. There are too many > access points (not just the CLI tools but the pp files and the /sys tree > and I don't know what else). > > I do note that /etc/selinux has selinux_config_t and /sys/fs/selinux > has security_t so maybe a policy that deny's everyone except a new > security_admin_t permission to modify those files might work? > > Has anyone actually attempted this? > You would need to disable the unconfined.pp module and the unconfineduser.pp module and run all of your users as confined user including the admin user as sysadm_t. You could also set the secure_ booleans getsebool -a | grep secure_* secure_mode --> off secure_mode_insmod --> off secure_mode_policyload --> off ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6.6 Fail2Ban and Postfix Selinux AVCs
On 01/19/2015 01:59 PM, James B. Byrne wrote:
> On Mon, January 19, 2015 11:50, James B. Byrne wrote:
>> I am seeing these in the log of one of our off-site NX hosts running
>> CentOS-6.6.
>>
>> type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for
>> pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0
>> tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket
>> Was caused by:
>> Missing type enforcement (TE) allow rule.
>>
>> You can use audit2allow to generate a loadable module
>> to allow this access.
>>
>> SELinux is preventing /sbin/iptables-multi-1.4.7 from search access on
>> the directory .
>>
>> * Plugin catchall (100. confidence) suggests
>> ***
>>
>> If you believe that iptables-multi-1.4.7 should be allowed search
>> access on the directory by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # grep iptables /var/log/audit/audit.log | audit2allow -M mypol
>> # semodule -i mypol.pp
>>
>>
> It appears that the starting date of these errors corresponds to the
> day on which we first began to jail SSH attempts on that host.
>
> We eventually ended up with a custom policy that looks like this:
>
> #= fail2ban_t ==
> allow fail2ban_t ldconfig_exec_t:file { read execute open getattr
> execute_no_trans };
>
> allow fail2ban_t insmod_exec_t:file { read execute open };
> allow fail2ban_t self:capability { net_admin net_raw };
> allow fail2ban_t self:rawip_socket { getopt create setopt };
> allow fail2ban_t sysctl_kernel_t:dir search;
> allow fail2ban_t sysctl_modprobe_t:file read;
>
> allow system_mail_t inotifyfs_t:dir read;
THese avc's are related to fail2ban inserting kernel modules, which
seems like a dangerous thing
to do.
>
> I am not sure whether this issue is the result of something that we
> have done or left undone. We have another host configured in much the
> same fashion as this one and it does not display these errors. On the
> other hand the second host was installed several years ago and has a
> number of custom polices already applied. It is possible that this
> problem was dealt with piecemeal or is submerged due to other
> customisations.
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6, CUPS and Canon printers problem
On 01/21/2015 04:11 AM, Emmanuel Noobadmin wrote: > Just to follow up to myself and leave a record, the problem is SELinux > blocking the driver from creating/reading/writing temporary files > under CUPS. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Do you have the AVC's? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux-alert: aide wants to write to /var/run/winbindd/pipe
On 01/13/2015 05:09 AM, Patrick Bervoets wrote: > Hi, > > does anyone know if aide should have access to this socket? > > SELinux is preventing /usr/sbin/aide from write access on the > sock_file /var/run/winbindd/pipe. > > Thanks > Patrick > Looks like it is doing some call to getpw* which is using winbindd for authentication. I would assume. > (on CentOS6 if that matters) > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] LVM - pvmove and multiple servers
Hi All. Looking for some guidance/experience with LVM and pvmove. I have a LUN/PV being presented from a iscsi SAN. The LUN/PV is presented to 5 servers as a shared VG they all have LV's they use for data, they are all connected via iSCSI. As the SAN I am using is being replaced I need to move onto a new unit. My migration strategy at this time is to 1. Present a new LUN from the new SAN to all machines. 2. Make a PV with the new LUN. 3. Add it to the existing VG. 4. Use pvmove to move all the data from one PV to another. 5. Once the old LUN is empty, complete a pvresize to remove the old LUN. This all seems sound but looking for advice, specifically around the fact that the VG/PV data is being used by a number of machines/servers and the LV's are active on a number of different nodes. All the documentation/examples I can find assume a disk in a server, not a LUN on a SAN being shared by a number of servers. Any advice is appreciated. Thanks Daniel ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to configure xguest Firefox home page
On 12/09/2014 02:39 PM, James B. Byrne wrote:
> On Mon, December 8, 2014 21:12, David McGuffey wrote:
>> I've installed CentOS 6.6 on a workstation at a local non-profit as a
>> kiosk machine. I used xguest. Works great, except now the customer
>> wants the Firefox homepage to be one pointing to a particular site.
>> Doesn't seem to be much documentation on how to make minor changes to
>> the account. Lots of SELinux guidance, but nothing about default home
>> page, etc.
>>
>> Dave
>>
>>
>>
>>
> See: /usr/lib/firefox/firefox.cfg
>
> Add: lockPref("browser.startup.homepage", "http://www.example.com/path/);
>
> Google: FireFox Kiosk
>
You can setup default configuration for the tmpfs account in /etc/skel.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to configure xguest Firefox home page
This is actually an old problem with pulseaudio processes no dying properly on exit. I think if you remove the exclusive flag from /etc/security/sepermit.conf This will work in all situations. The exclussive flag is there to make sure two different users can not login at the same time. On 12/09/2014 03:53 AM, Nux! wrote: > Somewhat offtopic, watch out for xguest; it can create problems. I.e. if you > logout from xguest you can't log back in, you need to reboot. > > HTH > Lucian > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro > > - Original Message - >> From: "David McGuffey" >> To: "CentOS mailing list" >> Sent: Tuesday, 9 December, 2014 02:12:23 >> Subject: [CentOS] How to configure xguest Firefox home page >> I've installed CentOS 6.6 on a workstation at a local non-profit as a >> kiosk machine. I used xguest. Works great, except now the customer >> wants the Firefox homepage to be one pointing to a particular site. >> Doesn't seem to be much documentation on how to make minor changes to >> the account. Lots of SELinux guidance, but nothing about default home >> page, etc. >> >> Dave >> >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux-policy update resets /etc/selinux/targeted/contexts/files/file_contexts?
On 12/17/2014 05:07 AM, Patrick Bervoets wrote: > Hi, > > On an internal webserver (latest C6) I want smb-access to /var/www/html/ > In april I did > chcon -R -t public_content_rw_t /var/www/html/ > setsebool -P allow_smbd_anon_write 1 > setsebool -P allow_httpd_anon_write 1 > echo "/var/www/html/ -- > unconfined_u:object_r:public_content_rw_t:s0" >> > /etc/selinux/targeted/contexts/files/file_contexts > This is incorrect. # semanage fcontext -a -t public_content_rw_t '/var/www/html(/.*?)' # restorecon -R -v /var/www/html Should change the label and it should survive relabel. After the latest round of updates (including selinux-policy.noarch 0:3.7.19-260.el6_6.1 and selinux-policy-targeted.noarch 0:3.7.19-260.el6_6.1) samba-access to /var/www/html was denied. > Applying the commands above re-enabled samba-access. > > Anyone knows how I can configure selinux to remeber this after an > update to the policies? > > Thanks > Patrick > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Postfix avc (SELinux)
On 12/05/2014 01:24 PM, James B. Byrne wrote:
> On Fri, December 5, 2014 04:53, Daniel J Walsh wrote:
>> On 12/04/2014 03:22 PM, James B. Byrne wrote:
>>> On Thu, December 4, 2014 12:29, James B. Byrne wrote:
>>>> Re: SELinux. Do I just build a local policy or is there some boolean
>>>> setting
>>>> needed to handle this? I could not find one if there is but. . .
>>>>
>>> Anyone see any problem with generating a custom policy consisting of the
>>> following?
>>>
>>> grep avc /var/log/audit/audit.log | audit2allow
>>>
>>>
>>> #= amavis_t ==
>>> allow amavis_t shell_exec_t:file execute;
>>> allow amavis_t sysfs_t:dir search;
>>>
>>> #= clamscan_t ==
>>> allow clamscan_t amavis_spool_t:dir read;
>> In the latest rhel6 policies amavas_t and clamscan_t have been merged
>> into antivirus_t? Is you selinux-policy up 2 date?
> Yes, everything is up-to-date as of the time of report and I have checked
> again this morning. That system has no unapplied fixes for software provided
> through the official CentOS-6 repositories. Does this change apply only to 7
> or has it been backported? Both amavisd-new and clamav are provided via the
> epel repository.
rpm -q selinux-policy
selinux-policy-3.7.19-260.el6 is the current policy in development.
>
>>> #= logwatch_mail_t ==
>>> allow logwatch_mail_t usr_t:lnk_file read;
>>>
>>> #= postfix_master_t ==
>>> allow postfix_master_t tmp_t:dir read;
>>>
>>> #= postfix_postdrop_t ==
>>> allow postfix_postdrop_t tmp_t:dir read;
>>>
>>> #= postfix_showq_t ==
>>> allow postfix_showq_t tmp_t:dir read;
>> Any reason postfix would be listing the contents of /tmp or /var/tmp?
>> Did you put some content into these directories that have something to
>> do with mail?
> That question I need put to the Postfix mailing list. I see nothing in the
> spec file that bears on the matter and the tarball was pulled from:
>
> ftp://ftp.porcupine.org/mirrors/postfix-release/official/
>
>>> #= postfix_smtp_t ==
>>> allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };
>>>
>>>
>
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Postfix avc (SELinux)
On 12/04/2014 03:22 PM, James B. Byrne wrote:
> On Thu, December 4, 2014 12:29, James B. Byrne wrote:
>> Re: SELinux. Do I just build a local policy or is there some boolean setting
>> needed to handle this? I could not find one if there is but. . .
>>
> Anyone see any problem with generating a custom policy consisting of the
> following?
>
> grep avc /var/log/audit/audit.log | audit2allow
>
>
> #= amavis_t ==
> allow amavis_t shell_exec_t:file execute;
> allow amavis_t sysfs_t:dir search;
>
> #= clamscan_t ==
> allow clamscan_t amavis_spool_t:dir read;
In the latest rhel6 policies amavas_t and clamscan_t have been merged
into antivirus_t? Is you selinux-policy up 2 date?
> #= logwatch_mail_t ==
> allow logwatch_mail_t usr_t:lnk_file read;
>
> #= postfix_master_t ==
> allow postfix_master_t tmp_t:dir read;
>
> #= postfix_postdrop_t ==
> allow postfix_postdrop_t tmp_t:dir read;
>
> #= postfix_showq_t ==
> allow postfix_showq_t tmp_t:dir read;
Any reason postfix would be listing the contents of /tmp or /var/tmp?
Did you put some content into these directories that have something to
do with mail?
> #= postfix_smtp_t ==
> allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };
>
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SEtroubleshootd Crashing
Are you seeing other AVCs? On 12/03/2014 05:36 AM, John Beranek wrote: > Indeed, thanks Dan - it doesn't get us to a completely clean running that > would allow us to run our Node app as we are under Passenger with SELinux > enforcing, but it at least has stopped the excessive amount of AVCs we were > getting. > > John > > On 3 December 2014 at 10:01, Daniel J Walsh wrote: > >> Looks like turning on three booleans will solve most of the problem. >> >> httpd_execmem, httpd_run_stickshift, allow_httpd_anon_write >> >> >> On 12/03/2014 03:55 AM, John Beranek wrote: >>> Mark: Labels look OK, restorecon has nothing to do, and: >>> >>> -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /bin/ps >>> >>> dr-xr-xr-x. root root system_u:object_r:proc_t:s0 /proc >>> >>> I'll send the audit log on to Dan. >>> >>> Cheers, >>> >>> John >>> >>> On 2 December 2014 at 16:10, Daniel J Walsh wrote: >>> >>>> Could you send me a copy of your audit.log. >>>> >>>> You should not be getting hundreds of AVC's a day. >>>> >>>> ausearch -m avc,user_avc -ts today >>>> >>>> On 12/02/2014 05:08 AM, John Beranek wrote: >>>>> I'll jump in here to say we'll try your suggestion, but I guess what's >>>> not >>>>> been mentioned is that we get the setroubleshoot abrt's only a few >> times >>>> a >>>>> day, but we're getting 1s of setroubleshoot messages in >>>>> /var/log/messages a day. >>>>> >>>>> e.g. >>>>> >>>>> Dec 2 10:03:55 server audispd: queue is full - dropping event >>>>> Dec 2 10:04:00 server audispd: last message repeated 199 times >>>>> Dec 2 10:04:00 server rsyslogd-2177: imuxsock begins to drop messages >>>> from >>>>> pid 5967 due to rate-limiting >>>>> Dec 2 10:04:01 server rsyslogd-2177: imuxsock lost 2 messages from pid >>>>> 5967 due to rate-limiting >>>>> Dec 2 10:04:01 server audispd: queue is full - dropping event >>>>> Dec 2 10:04:02 server audispd: last message repeated 134 times >>>>> Dec 2 10:04:02 server setroubleshoot: SELinux is preventing /bin/ps >> from >>>>> read access on the file /proc//stat. For complete SELinux >> messages. >>>>> run sealert -l 2274b1c7-fd69-4fa8-8e67-cd7a9da9eff4 >>>>> Dec 2 10:04:02 server audispd: queue is full - dropping event >>>>> Dec 2 10:04:03 server audispd: last message repeated 48 times >>>>> Dec 2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps >> from >>>>> getattr access on the directory /proc/. For complete SELinux >>>> messages. >>>>> run sealert -l 2d09d555-8834-4c27-976b-6647f8673286 >>>>> Dec 2 10:04:03 server audispd: queue is full - dropping event >>>>> Dec 2 10:04:03 server audispd: last message repeated 15 times >>>>> Dec 2 10:04:03 server rsyslogd-2177: imuxsock begins to drop messages >>>> from >>>>> pid 5967 due to rate-limiting >>>>> Dec 2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps >> from >>>>> search access on the directory /proc//stat. For complete SELinux >>>>> messages. run sealert -l 0ef0c7a1-acb2-433a-aaa2-361cc95b6069 >>>>> Dec 2 10:04:04 server setroubleshoot: last message repeated 2 times >>>>> Dec 2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps >> from >>>>> getattr access on the directory /proc/. For complete SELinux >>>> messages. >>>>> run sealert -l 58f859b0-7382-428e-81f0-3e85f66d79fc >>>>> Dec 2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps >> from >>>>> search access on the directory /proc//stat. For complete SELinux >>>>> messages. run sealert -l 2448a46d-5089-4f85-aae8-e9013341471f >>>>> Dec 2 10:04:05 server setroubleshoot: last message repeated 2 times >>>>> Dec 2 10:04:05 server setroubleshoot: SELinux is preventing /bin/ps >> from >>>>> getattr access on the directory /proc/. For complete SELinux >>>> messages. >>>>> run sealert -l f935416b-54fe-4bbd-b66c-2e1b2e6724be >>>>> Dec 2 10:04:06 server setroubleshoot: SELinux is preventing /bin/ps >> from >>>>> search a
Re: [CentOS] SEtroubleshootd Crashing
Looks like turning on three booleans will solve most of the problem. httpd_execmem, httpd_run_stickshift, allow_httpd_anon_write On 12/03/2014 03:55 AM, John Beranek wrote: > Mark: Labels look OK, restorecon has nothing to do, and: > > -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /bin/ps > > dr-xr-xr-x. root root system_u:object_r:proc_t:s0 /proc > > I'll send the audit log on to Dan. > > Cheers, > > John > > On 2 December 2014 at 16:10, Daniel J Walsh wrote: > >> Could you send me a copy of your audit.log. >> >> You should not be getting hundreds of AVC's a day. >> >> ausearch -m avc,user_avc -ts today >> >> On 12/02/2014 05:08 AM, John Beranek wrote: >>> I'll jump in here to say we'll try your suggestion, but I guess what's >> not >>> been mentioned is that we get the setroubleshoot abrt's only a few times >> a >>> day, but we're getting 1s of setroubleshoot messages in >>> /var/log/messages a day. >>> >>> e.g. >>> >>> Dec 2 10:03:55 server audispd: queue is full - dropping event >>> Dec 2 10:04:00 server audispd: last message repeated 199 times >>> Dec 2 10:04:00 server rsyslogd-2177: imuxsock begins to drop messages >> from >>> pid 5967 due to rate-limiting >>> Dec 2 10:04:01 server rsyslogd-2177: imuxsock lost 2 messages from pid >>> 5967 due to rate-limiting >>> Dec 2 10:04:01 server audispd: queue is full - dropping event >>> Dec 2 10:04:02 server audispd: last message repeated 134 times >>> Dec 2 10:04:02 server setroubleshoot: SELinux is preventing /bin/ps from >>> read access on the file /proc//stat. For complete SELinux messages. >>> run sealert -l 2274b1c7-fd69-4fa8-8e67-cd7a9da9eff4 >>> Dec 2 10:04:02 server audispd: queue is full - dropping event >>> Dec 2 10:04:03 server audispd: last message repeated 48 times >>> Dec 2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps from >>> getattr access on the directory /proc/. For complete SELinux >> messages. >>> run sealert -l 2d09d555-8834-4c27-976b-6647f8673286 >>> Dec 2 10:04:03 server audispd: queue is full - dropping event >>> Dec 2 10:04:03 server audispd: last message repeated 15 times >>> Dec 2 10:04:03 server rsyslogd-2177: imuxsock begins to drop messages >> from >>> pid 5967 due to rate-limiting >>> Dec 2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps from >>> search access on the directory /proc//stat. For complete SELinux >>> messages. run sealert -l 0ef0c7a1-acb2-433a-aaa2-361cc95b6069 >>> Dec 2 10:04:04 server setroubleshoot: last message repeated 2 times >>> Dec 2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps from >>> getattr access on the directory /proc/. For complete SELinux >> messages. >>> run sealert -l 58f859b0-7382-428e-81f0-3e85f66d79fc >>> Dec 2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps from >>> search access on the directory /proc//stat. For complete SELinux >>> messages. run sealert -l 2448a46d-5089-4f85-aae8-e9013341471f >>> Dec 2 10:04:05 server setroubleshoot: last message repeated 2 times >>> Dec 2 10:04:05 server setroubleshoot: SELinux is preventing /bin/ps from >>> getattr access on the directory /proc/. For complete SELinux >> messages. >>> run sealert -l f935416b-54fe-4bbd-b66c-2e1b2e6724be >>> Dec 2 10:04:06 server setroubleshoot: SELinux is preventing /bin/ps from >>> search access on the directory /proc//stat. For complete SELinux >>> messages. run sealert -l d8dbf973-7bc2-4fd5-9540-18c4040be03c >>> Dec 2 10:04:06 server setroubleshoot: last message repeated 2 times >>> Dec 2 10:04:06 server sedispatch: AVC Message for setroubleshoot, >> dropping >>> message >>> Dec 2 10:04:06 server sedispatch: last message repeated 3 times >>> >>> Cheers, >>> >>> John >>> >>> On 1 December 2014 at 17:19, Daniel J Walsh wrote: >>> >>>> On 12/01/2014 10:39 AM, Gary Smithson wrote: >>>>> We are currently running libxml2-2.7.6-14.el6_5.2.x86_64 >>>>> >>>>> How far back would you suggest we go? would >>>> libxml2-2.7.6-14.el6_5.1.x86_64 be sufficient >>>> Ok might not be related. One other suggestion would be to clear the >>>> database out. And see if there >>>> was something in the database that was causing it problems. >>>> >>>> Make
Re: [CentOS] SEtroubleshootd Crashing
Could you send me a copy of your audit.log. You should not be getting hundreds of AVC's a day. ausearch -m avc,user_avc -ts today On 12/02/2014 05:08 AM, John Beranek wrote: > I'll jump in here to say we'll try your suggestion, but I guess what's not > been mentioned is that we get the setroubleshoot abrt's only a few times a > day, but we're getting 1s of setroubleshoot messages in > /var/log/messages a day. > > e.g. > > Dec 2 10:03:55 server audispd: queue is full - dropping event > Dec 2 10:04:00 server audispd: last message repeated 199 times > Dec 2 10:04:00 server rsyslogd-2177: imuxsock begins to drop messages from > pid 5967 due to rate-limiting > Dec 2 10:04:01 server rsyslogd-2177: imuxsock lost 2 messages from pid > 5967 due to rate-limiting > Dec 2 10:04:01 server audispd: queue is full - dropping event > Dec 2 10:04:02 server audispd: last message repeated 134 times > Dec 2 10:04:02 server setroubleshoot: SELinux is preventing /bin/ps from > read access on the file /proc//stat. For complete SELinux messages. > run sealert -l 2274b1c7-fd69-4fa8-8e67-cd7a9da9eff4 > Dec 2 10:04:02 server audispd: queue is full - dropping event > Dec 2 10:04:03 server audispd: last message repeated 48 times > Dec 2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps from > getattr access on the directory /proc/. For complete SELinux messages. > run sealert -l 2d09d555-8834-4c27-976b-6647f8673286 > Dec 2 10:04:03 server audispd: queue is full - dropping event > Dec 2 10:04:03 server audispd: last message repeated 15 times > Dec 2 10:04:03 server rsyslogd-2177: imuxsock begins to drop messages from > pid 5967 due to rate-limiting > Dec 2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps from > search access on the directory /proc//stat. For complete SELinux > messages. run sealert -l 0ef0c7a1-acb2-433a-aaa2-361cc95b6069 > Dec 2 10:04:04 server setroubleshoot: last message repeated 2 times > Dec 2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps from > getattr access on the directory /proc/. For complete SELinux messages. > run sealert -l 58f859b0-7382-428e-81f0-3e85f66d79fc > Dec 2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps from > search access on the directory /proc//stat. For complete SELinux > messages. run sealert -l 2448a46d-5089-4f85-aae8-e9013341471f > Dec 2 10:04:05 server setroubleshoot: last message repeated 2 times > Dec 2 10:04:05 server setroubleshoot: SELinux is preventing /bin/ps from > getattr access on the directory /proc/. For complete SELinux messages. > run sealert -l f935416b-54fe-4bbd-b66c-2e1b2e6724be > Dec 2 10:04:06 server setroubleshoot: SELinux is preventing /bin/ps from > search access on the directory /proc//stat. For complete SELinux > messages. run sealert -l d8dbf973-7bc2-4fd5-9540-18c4040be03c > Dec 2 10:04:06 server setroubleshoot: last message repeated 2 times > Dec 2 10:04:06 server sedispatch: AVC Message for setroubleshoot, dropping > message > Dec 2 10:04:06 server sedispatch: last message repeated 3 times > > Cheers, > > John > > On 1 December 2014 at 17:19, Daniel J Walsh wrote: > >> On 12/01/2014 10:39 AM, Gary Smithson wrote: >>> We are currently running libxml2-2.7.6-14.el6_5.2.x86_64 >>> >>> How far back would you suggest we go? would >> libxml2-2.7.6-14.el6_5.1.x86_64 be sufficient >> Ok might not be related. One other suggestion would be to clear the >> database out. And see if there >> was something in the database that was causing it problems. >> >> Make sure there is no setroubleshootd running and >> >>> /var/lib/setroubleshoot/setroubleshoot_database.xml >>> -Original Message- >>> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On >> Behalf Of Daniel J Walsh >>> Sent: 01 December 2014 15:10 >>> To: CentOS mailing list >>> Subject: Re: [CentOS] SEtroubleshootd Crashing >>> >>> I am not sure. I was just seeing email on this today. Could you try to >> downgrade the latest version of libxml to see if the problem goes away. >>> On 12/01/2014 10:01 AM, Gary Smithson wrote: >>>> Thanks >>>> >>>> Could you please clarify, which version libxml is broken and has there >> been a newer version released that will fix it. >>>> -Original Message- >>>> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On >>>> Behalf Of Daniel J Walsh >>>> Sent: 01 December 2014 14:58 >>>> To: CentOS mailing list >>>> Subject: Re: [CentOS] SEtroubleshootd Crashing >>>> >>&
Re: [CentOS] SEtroubleshootd Crashing
On 12/01/2014 10:39 AM, Gary Smithson wrote: > We are currently running libxml2-2.7.6-14.el6_5.2.x86_64 > > How far back would you suggest we go? would libxml2-2.7.6-14.el6_5.1.x86_64 > be sufficient Ok might not be related. One other suggestion would be to clear the database out. And see if there was something in the database that was causing it problems. Make sure there is no setroubleshootd running and >/var/lib/setroubleshoot/setroubleshoot_database.xml > -Original Message- > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf > Of Daniel J Walsh > Sent: 01 December 2014 15:10 > To: CentOS mailing list > Subject: Re: [CentOS] SEtroubleshootd Crashing > > I am not sure. I was just seeing email on this today. Could you try to > downgrade the latest version of libxml to see if the problem goes away. > > On 12/01/2014 10:01 AM, Gary Smithson wrote: >> Thanks >> >> Could you please clarify, which version libxml is broken and has there been >> a newer version released that will fix it. >> >> -Original Message- >> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On >> Behalf Of Daniel J Walsh >> Sent: 01 December 2014 14:58 >> To: CentOS mailing list >> Subject: Re: [CentOS] SEtroubleshootd Crashing >> >> This seems to be a problem with an updated version of libxml. >> On 11/28/2014 09:04 AM, Gary Smithson wrote: >>> When running Node.js through Phusion Passenger on Centos 6.5 ( Linux >>> 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64 >>> x86_64 x86_64 GNU/Linux), with SELinux enabled in permissive mode we >>> receive a large number of entries in the audit.log and setroubleshootd >>> randomly crashes with the following error, We have resolved the selinux >>> alerts by following the troubleshooting steps recommend by running >>> sealert,However we are concerned by setroubleshootd crashing and are >>> concered that we may have masked the issue by fixing the entries in the >>> audit.log. >>> >>> >>> >>> abrt_version: 2.0.8 >>> >>> cmdline:/usr/bin/python -Es /usr/sbin/setroubleshootd -f '' >>> >>> executable: /usr/sbin/setroubleshootd >>> >>> kernel: 2.6.32-431.23.3.el6.x86_64 >>> >>> last_occurrence: 1417101625 >>> >>> time: Thu 27 Nov 2014 03:20:25 PM UTC >>> >>> uid:0 >>> >>> username: root >>> >>> >>> >>> sosreport.tar.xz: Binary file, 3642240 bytes >>> >>> >>> >>> backtrace: >>> >>> :analyze.py:426:lookup_signature:ProgramError: [Errno 1001] signature >>> not found >>> >>> : >>> >>> :Traceback (most recent call last): >>> >>> : File >>> "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line >>> 401, in auto_save_callback >>> >>> :self.save() >>> >>> : File >>> "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line >>> 377, in save >>> >>> :self.prune() >>> >>> : File >>> "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line >>> 340, in prune >>> >>> :self.delete_signature(sig, prune=True) >>> >>> : File >>> "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line >>> 471, in delete_signature >>> >>> :siginfo = self.lookup_signature(sig) >>> >>> : File >>> "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line >>> 426, in lookup_signature >>> >>> :raise ProgramError(ERR_NO_SIGNATURE_MATCH) >>> >>> :ProgramError: [Errno 1001] signature not found >>> >>> : >>> >>> :Local variables in innermost frame: >>> >>> :matches: [] >>> >>> :siginfo: None >>> >>> :self: >> 0x151d590> >>> >>> :sig: >>> >>> >>> >>> We are running the following versions Passenger/htttpd/node >>> >>> >>> passenger --version >>> >>> Phusion Passenger version 4.0.53 >>> >>> >>> httpd -v >>> Server version: Apache/2.2.15 (Unix) >>> Server built: Jul 23 2014 14:17:29 >>> >>> >>> node -v >
Re: [CentOS] SEtroubleshootd Crashing
I am not sure. I was just seeing email on this today. Could you try to downgrade the latest version of libxml to see if the problem goes away. On 12/01/2014 10:01 AM, Gary Smithson wrote: > Thanks > > Could you please clarify, which version libxml is broken and has there been a > newer version released that will fix it. > > -Original Message- > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf > Of Daniel J Walsh > Sent: 01 December 2014 14:58 > To: CentOS mailing list > Subject: Re: [CentOS] SEtroubleshootd Crashing > > This seems to be a problem with an updated version of libxml. > On 11/28/2014 09:04 AM, Gary Smithson wrote: >> When running Node.js through Phusion Passenger on Centos 6.5 ( Linux >> 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64 x86_64 >> x86_64 GNU/Linux), with SELinux enabled in permissive mode we receive a >> large number of entries in the audit.log and setroubleshootd randomly >> crashes with the following error, We have resolved the selinux alerts by >> following the troubleshooting steps recommend by running sealert,However we >> are concerned by setroubleshootd crashing and are concered that we may have >> masked the issue by fixing the entries in the audit.log. >> >> >> >> abrt_version: 2.0.8 >> >> cmdline:/usr/bin/python -Es /usr/sbin/setroubleshootd -f '' >> >> executable: /usr/sbin/setroubleshootd >> >> kernel: 2.6.32-431.23.3.el6.x86_64 >> >> last_occurrence: 1417101625 >> >> time: Thu 27 Nov 2014 03:20:25 PM UTC >> >> uid:0 >> >> username: root >> >> >> >> sosreport.tar.xz: Binary file, 3642240 bytes >> >> >> >> backtrace: >> >> :analyze.py:426:lookup_signature:ProgramError: [Errno 1001] signature not >> found >> >> : >> >> :Traceback (most recent call last): >> >> : File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line >> 401, in auto_save_callback >> >> :self.save() >> >> : File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line >> 377, in save >> >> :self.prune() >> >> : File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line >> 340, in prune >> >> :self.delete_signature(sig, prune=True) >> >> : File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line >> 471, in delete_signature >> >> :siginfo = self.lookup_signature(sig) >> >> : File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line >> 426, in lookup_signature >> >> :raise ProgramError(ERR_NO_SIGNATURE_MATCH) >> >> :ProgramError: [Errno 1001] signature not found >> >> : >> >> :Local variables in innermost frame: >> >> :matches: [] >> >> :siginfo: None >> >> :self: >> >> :sig: >> >> >> >> We are running the following versions Passenger/htttpd/node >> >> >> passenger --version >> >> Phusion Passenger version 4.0.53 >> >> >> httpd -v >> Server version: Apache/2.2.15 (Unix) >> Server built: Jul 23 2014 14:17:29 >> >> >> node -v >> v0.10.32 >> >> This email is from the Press Association. For more information, see >> www.pressassociation.com. This email may contain confidential information. >> Only the addressee is permitted to read, copy, distribute or otherwise use >> this email or any attachments. If you have received it in error, please >> contact the sender immediately. Any opinion expressed in this email is >> personal to the sender and may not reflect the opinion of the Press >> Association. Any email reply to this address may be subject to interception >> or monitoring for operational reasons or for lawful business practices. >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > > This email is from the Press Association. For more information, see > www.pressassociation.com. This email may contain confidential information. > Only the addressee is permitted to read, copy, distribute or otherwise use > this email or any attachments. If you have received it in error, please > contact the sender immediately. Any opinion expressed in this email is > personal to the sender and may not reflect the opinion of the Press > Association. Any email reply to this address may be subject to interception > or monitoring for operational reasons or for lawful business practices. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SEtroubleshootd Crashing
This seems to be a problem with an updated version of libxml. On 11/28/2014 09:04 AM, Gary Smithson wrote: > When running Node.js through Phusion Passenger on Centos 6.5 ( Linux > 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64 x86_64 > x86_64 GNU/Linux), with SELinux enabled in permissive mode we receive a large > number of entries in the audit.log and setroubleshootd randomly crashes with > the following error, We have resolved the selinux alerts by following the > troubleshooting steps recommend by running sealert,However we are concerned > by setroubleshootd crashing and are concered that we may have masked the > issue by fixing the entries in the audit.log. > > > > abrt_version: 2.0.8 > > cmdline:/usr/bin/python -Es /usr/sbin/setroubleshootd -f '' > > executable: /usr/sbin/setroubleshootd > > kernel: 2.6.32-431.23.3.el6.x86_64 > > last_occurrence: 1417101625 > > time: Thu 27 Nov 2014 03:20:25 PM UTC > > uid:0 > > username: root > > > > sosreport.tar.xz: Binary file, 3642240 bytes > > > > backtrace: > > :analyze.py:426:lookup_signature:ProgramError: [Errno 1001] signature not > found > > : > > :Traceback (most recent call last): > > : File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line > 401, in auto_save_callback > > :self.save() > > : File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line > 377, in save > > :self.prune() > > : File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line > 340, in prune > > :self.delete_signature(sig, prune=True) > > : File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line > 471, in delete_signature > > :siginfo = self.lookup_signature(sig) > > : File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line > 426, in lookup_signature > > :raise ProgramError(ERR_NO_SIGNATURE_MATCH) > > :ProgramError: [Errno 1001] signature not found > > : > > :Local variables in innermost frame: > > :matches: [] > > :siginfo: None > > :self: > > :sig: > > > > We are running the following versions Passenger/htttpd/node > > > passenger --version > > Phusion Passenger version 4.0.53 > > > httpd -v > Server version: Apache/2.2.15 (Unix) > Server built: Jul 23 2014 14:17:29 > > > node -v > v0.10.32 > > This email is from the Press Association. For more information, see > www.pressassociation.com. This email may contain confidential information. > Only the addressee is permitted to read, copy, distribute or otherwise use > this email or any attachments. If you have received it in error, please > contact the sender immediately. Any opinion expressed in this email is > personal to the sender and may not reflect the opinion of the Press > Association. Any email reply to this address may be subject to interception > or monitoring for operational reasons or for lawful business practices. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone have a Brother multifunction working on Centos 7?
On 11/12/2014 10:54 PM, Peter wrote: > On 11/13/2014 12:10 PM, Negative wrote: >> I have a Brother MFC 7360N, and it is refusing to print. > I have a DCP-540CN which is a similar but I think older network printer. > I haven't tried it on CentOS 7 yet, but got it to work with Fedora 18 > and 19 which are very similar. I do recall having to create an selinux > policy to get it to work, so that may very well be your issue. > > > Peter > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Usually it should just work. But you might need to run restorecon -R -v /usr after the install to set the SELinux labels correctly. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Xorg installation broken under docker
On 11/11/2014 02:17 PM, Jim Perrin wrote: > > On 11/11/2014 12:45 PM, Daniel J Walsh wrote: > >> We need to get systemd-container into the default centos image. >> We are working on this for RHEL7 also. That way these problems >> can be prevented and we can make it easier for people to run systemd >> within a container. > If the source for it is public, I would happily do this, as the current > systemd/fakesystemd issue causes a fair amount of breakage. Where can I > pull systemd-container source/spec? > > Jim work with Vaclav on this. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Xorg installation broken under docker
On 11/11/2014 12:11 PM, Jim Perrin wrote: > > On 11/11/2014 04:51 AM, Wander Costa wrote: >> Hi, >> >> I have been trying to build a docker image to run unit tests for the B2G >> project [1]. However when I try to install Xorg I get this error [2]. >> I have been searching on web but is still not clear for me if this is an >> issue or if I should proceed like this link [3] says. >> Any idea? >> > > Yes, one of the packages you're attempting to install requires systemd > as a dependency and so you would need to follow the instructions in that > blog. You might still run into some issues even then, if you're trying > to display X from the container on the host. > > If you'd like, I have a centos-systemd container already built > (following that blog post) that you could try. > > > a 'docker pull centos/c7-systemd' should get you what you need: > > reference url: https://registry.hub.docker.com/u/centos/c7-systemd/ > > > We need to get systemd-container into the default centos image. We are working on this for RHEL7 also. That way these problems can be prevented and we can make it easier for people to run systemd within a container. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ProFTPD SFTP with SELinux
On 11/05/2014 09:41 PM, Philip Gardner, Jr. wrote: > Has anyone attempted to make SFTP on ProFTPD with SELinux work? I'd > like to keep SELinux enabled on this particular system, but I prefer > ProFTPD's SFTP solution over OpenSSH. The aureport tool reports the > following: > > 28. 11/05/2014 12:58:58 proftpd > unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 4 file getattr > system_u:object_r:sshd_key_t:s0 denied 86877 > > I have the SFTP config setup to just use the OpenSSH host keys, and it > appears to be getting denied read access to it. Thoughts? > If the access makes sense, then build a custom policy module and open a bugzilla for it. Probably should be a boolean to allow it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DHCP chown
On 11/02/2014 02:45 PM, John R Pierce wrote: > On 11/2/2014 11:37 AM, Barry Brimer wrote: >>> I just installed 6.5 and am trying to bring up DHCP. >>> >>> service dhcpd start fails with "Can't chown new lease file: >>> Operation not >>> permitted" in /var/log/messages >> >> Check the permissions in /var/lib/dhcp directory. > > also check the selinux logs... or temporarily set selinux to > 'permissive' and see if it works, if it does, then something is fubar > in the selinux rules. > > > Or simply run restorecon -R -v /var TO make sure everything is labeled correctly. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.6: KVM not found
On 11/01/2014 12:12 AM, Chris wrote: > On 10/31/2014 08:12 PM, Jonathan Billings wrote: >> Is there an AVC entry in >> the audit logs for when you try to load the module? > I cannot say for sure if those entries were created when starting the vm > or when rebooting the physical host. > These avc's have nothing to do with virtualization, they are about prelink, and would have no effect on whether or not you can run VM's/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.6: KVM not found
On 10/31/2014 06:06 AM, Chris wrote: > On 10/31/2014 10:47 AM, Karanbir Singh wrote: >> can you post the relevant selinux audit.log entries that were preventing >> kvm's ko to be loaded ? > Sure. > > type=VIRT_CONTROL msg=audit(1414739214.851:62): user pid=2911 uid=0 > auid=4294967295 ses=4294967295 > subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm op=start > reason=booted vm=" > tor2" uuid=xxx vm-pid=-1 exe="/usr/sbin/libvirtd" hostname=? addr=? > terminal=? res=failed' > > Those are not avc's they are standard audit logs and have nothing to do with SELinux. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.6 Bacula-SELinux issue
I see nothing about tape_device_t in bacula policy in Fedora, so I please create a local policy and then send it to us, so it can get merged into the upstream and back ported for RHEL/Centos. On 10/30/2014 03:01 PM, Paul Heinlein wrote: > I updated my backup server to CentOS 6.6 this morning. As usual, I > unmounted the current (nightly) tape from the changer before the > reboot. Now Bacula complains it cannot access the changer: > > 3301 Issuing autochanger "loaded? drive 0" command. > 3991 Bad autochanger "loaded? drive 0" command: ERR=Child exited with > code 1. > Results=cannot open SCSI device '/dev/changer' - Permission denied > > SELinux is denying source context bacula_t from accessing target > context tape_device_t. I took a look at the various SELinux boolean > values but see none that applies. > > Has anyone else observed this symptom since upgrading? > > Is there a fix other than building a local policy by going through the > "ausearch | audit2allow" iteration(s)? > > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6.5 - Fping - SE Linux - Missing type enforcement (TE) allow rule
On 10/26/2014 12:10 AM, admin wrote:
> I've just recreated the module and enabled it, yet I can't seem to
> allow fping to be used by the httpd process. It seems that the last
> error was just a byproduct of a bad module I had not properly removed.
> Are there any additional troubleshooting steps I could try?
>
> What I've done so far :
>
> 1) grep fping /var/log/audit/audit.log | audit2allow -M observium_fping
> 2) semodule -i observium_fping.pp
>
> 3) semodule -l | grep fping
> **
> fping 1.0
> observium_fping 1.0
> **
>
> 4) cat /var/log/audit/audit.log | grep fping
>
> type=AVC msg=audit(1414295291.964:357): avc: denied { create } for
> pid=5283 comm="fping" scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=rawip_socket
> type=SYSCALL msg=audit(1414295291.964:357): arch=c03e syscall=41
> success=no exit=-13 a0=2 a1=3 a2=1 a3=7fff871b1790 items=0 ppid=5282
> pid=5283 auid=500 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48
> fsgid=48 tty=(none) ses=1 comm="fping" exe="/usr/sbin/fping"
> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
>
>
> On 10/25/2014 8:30 PM, Greg Lindahl wrote:
>> On Sat, Oct 25, 2014 at 04:22:38PM -0400, admin wrote:
>>
>>> # This avc is allowed in the current policy
>>> allow httpd_t self:capability net_raw;
>>> allow httpd_t self:rawip_socket create;
>> This confusing output means that the first "allow" line is in the
>> current policy, and the second is not.
>>
>> -- greg
>>
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
You want to add this rule.
#cat observium_fping.te
policy_module(observium_fping, 1.0)
gen_require(`
type httpd_t;
')
allow httpd_t self:rawip_socket create_socket_perms;
# make -f /usr/share/selinux/devel/Makefile
# semodule -i observium_fping.pp
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SAMBA as AD DC
On 09/16/2014 10:50 AM, Markus Steinborn wrote:
> Hi Daniel,
>
> Daniel J Walsh wrote:
>> What AVC's is SELinux giving you?
> Policy has been "enforcing" - and I see the folloqwing AVCs at the end
> of my audit log - but those repeated several times:
>
> type=AVC msg=audit(1410628837.928:422): avc: denied { connectto }
> for pid=2330 comm="smbd" path="/run/samba/winbindd/pipe"
> scontext=system_u:system_r:smbd_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1410628852.301:430): avc: denied { connectto }
> for pid=2392 comm="smbd" path="/run/samba/ncalrpc/np/netlogon"
> scontext=system_u:system_r:smbd_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>
This looks like you have something running as init_t that is listening
on "/run/samba/winbindd/pipe"
ps -eZ | grep init_t
>
> Greetings
>
> Markus
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SAMBA as AD DC
What AVC's is SELinux giving you? On 09/15/2014 02:48 AM, Markus Steinborn wrote: > Hi Miguel, > > Miguel Medalha wrote: Anyway, Sernet also provides a source rpm. Why not build up from that base? > CentOS 7 is using systemd - that would cause problems. > > > And anyway, I've used the package samba from CentOS-7 as base. This > way, incmpatibilites with base samba4 are minimized (same paths etc.). > > I've already written in this thread: It has turned out that selinux is > the problem - turning off selinux helps.. But that is not really what > you want to...And since the problem is selinux, I am not sure if > Sernet's source would have anything changed. > > Anyway, I do not think that my package is broken anymore since selinux > configuration is a different thing. > > > Greetings > > Markus > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux alert on Centos 7 yum update
What AVC messages are you seeing? What does the setroubleshoot alert message show? On 09/10/2014 07:04 PM, Sven Kieske wrote: > On 10.09.2014 10:40, dE wrote: > > > I bet this has to do with troubleshootd (is it there in CentOS? I'm > > not sure but in Fedora 19 it was there). > > I bet this has to do with the flash-plugin and virtual box > as they most likely don't get installed in an selinux compatible > fashion. > > With standard EL7 components and selinux enabled I didn't have > any warnings during yum update so far. > > > Contents of /var/log/audit/audit.log will be more interesting. > > True > > kind regards > > Sven > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux vs. virsh
On 08/23/2014 10:45 AM, Bill Gee wrote:
> On Friday, August 22, 2014 08:50:26 Daniel J Walsh wrote:
>> On 08/21/2014 10:03 AM, Bill Gee wrote:
>>> On Thursday, August 21, 2014 12:00:03 centos-requ...@centos.org wrote:
>>>> Re: [CentOS] SELinux vs. logwatch and virsh
>>>> From: Daniel J Walsh
>>>> To: CentOS mailing list
>>>>
>>>> On 08/18/2014 02:13 PM, Bill Gee wrote:
>>>>> Hi Dan -
>>>>>
>>>>> "ausearch -m avc -ts recent" produces no output. If I run it as
>>>>> "ausearch
>>>>> -f virsh" then it produces output similar to this. Each day's run of
>>>>> logwatch produces three of these audit log entries. The a1 and a2
>>>>> values
>>>>> are different for each entry, but everything else is the same.
>>>>>
>>>>> ===
>>>>> time->Mon Aug 18 03:21:03 2014
>>>>> type=SYSCALL msg=audit(1408350063.257:7492): arch=c03e syscall=21
>>>>> success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640
>>>>> items=0 ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>>>> egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm="bash" exe="/usr/bin/bash"
>>>>> subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
>>>>> type=AVC msg=audit(1408350063.257:7492): avc: denied { read }
>>>>> for pid=2816 comm="bash" name="virsh" dev="dm-0" ino=135911290
>>>>> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
>>>>> tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
>>>>> ===
>>>>>
>>>>> I thought about using audit2allow as you suggest. The problem is then I
>>>>> don't really know what change is required. What exactly will it
>>>>> do? And is there a guarantee that it will work?
>>>> logwatch is executing virsh probably to communicate with libvirt to
>>>> rotate logs or something. You can look in /etc/logrotate.d for a script
>>>> with virsh to tell you what the command is trying to do.
>>> Hi Dan -
>>>
>>> I know EXACTLY what virsh is being called for. I wrote the script! It
>>> has
>>> nothing to do with logrotate. I want virsh to tell logwatch what the
>>> status is of all virtual machines running on the host. Logwatch will
>>> then include that in its daily summary report. SELinux is getting in the
>>> way.
>>>
>>> Regards - Bill Gee
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>> Well logrotate is calling the script, and you just need to add the allow
>> rules to allow logrotate to execute the script and communicate with
>> libvirt. Or you need to run the script in a separate cron job to
>> collect the data before the logrotate script runs.
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
> Hi Dan -
>
> Oops, I screwed up the subject line on the last posting. Hopefully corrected
> with this message.
>
> Comment - I changed my configuration so that virsh is run by a script in
> cron.daily rather than being called from logwatch. It saves output to a file
> in /tmp. Logwatch was changed to simply "cat" the file. However, this STILL
> produces an SELinux violation. I am not any closer to the goal.
>
> Question - How do I add an "allow" rule to SELinux? What exactly is to be
> allowed and how is SELinux told to do it?
>
> Here is what ausearch finds:
>
> =
> time->Sat Aug 23 03:06:04 2014
> type=SYSCALL msg=audit(1408781164.014:1373): arch=c03e syscall=2
> success=no exit=-13 a0=7fffb24e3da6 a1=0 a2=1fff a3=7fffb24e31d0
> items=0
> ppid=25741 pid=25742 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=127 comm="cat" exe="/usr/bin/cat"
> subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1408781164.014:1373): avc: denied { open } for
> pid=25742
> comm="cat" path="/tmp/libvirt-status" dev="dm-0" ino=768471
> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>
> ===
Re: [CentOS] CentOS Digest, Vol 115, Issue 21
On 08/21/2014 10:03 AM, Bill Gee wrote:
> On Thursday, August 21, 2014 12:00:03 centos-requ...@centos.org wrote:
>> Re: [CentOS] SELinux vs. logwatch and virsh
>> From: Daniel J Walsh
>> To: CentOS mailing list
>>
>> On 08/18/2014 02:13 PM, Bill Gee wrote:
>>> Hi Dan -
>>>
>>> "ausearch -m avc -ts recent" produces no output. If I run it as "ausearch
>>> -f virsh" then it produces output similar to this. Each day's run of
>>> logwatch produces three of these audit log entries. The a1 and a2 values
>>> are different for each entry, but everything else is the same.
>>>
>>> ===
>>> time->Mon Aug 18 03:21:03 2014
>>> type=SYSCALL msg=audit(1408350063.257:7492): arch=c03e syscall=21
>>> success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640
>>> items=0 ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>> egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm="bash" exe="/usr/bin/bash"
>>> subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
>>> type=AVC msg=audit(1408350063.257:7492): avc: denied { read }
>>> for pid=2816 comm="bash" name="virsh" dev="dm-0" ino=135911290
>>> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
>>> tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
>>> ===
>>>
>>> I thought about using audit2allow as you suggest. The problem is then I
>>> don't really know what change is required. What exactly will it
>>> do? And is there a guarantee that it will work?
>> logwatch is executing virsh probably to communicate with libvirt to
>> rotate logs or something. You can look in /etc/logrotate.d for a script
>> with virsh to tell you what the command is trying to do.
> Hi Dan -
>
> I know EXACTLY what virsh is being called for. I wrote the script! It has
> nothing to do with logrotate. I want virsh to tell logwatch what the status
> is of all virtual machines running on the host. Logwatch will then include
> that in its daily summary report. SELinux is getting in the way.
>
> Regards - Bill Gee
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
Well logrotate is calling the script, and you just need to add the allow
rules to allow logrotate to execute the script and communicate with
libvirt. Or you need to run the script in a separate cron job to
collect the data before the logrotate script runs.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] HP ProLiant DL380 G5
On 08/21/2014 05:00 PM, m.r...@5-cent.us wrote: > Matt wrote: >>> Hate to change the conversation here but that's why I hate hardware >>> RAID. >>> If it was software RAID, Linux would always tell you what's going on. >>> Besides, Linux knows much more about what is going on on the disk and >>> what is about to happen (like a megabyte DMA transfer). >>> >>> BTW, check if something is creating: >>> >>> /forcefsck >> These exist: >> >> -rw-r--r--1 root root 0 Jul 7 10:03 .autofsck >> -rw-r--r--1 root root 0 Jul 7 10:03 .autorelabel >> >> What does that mean? > ARRRGGGHGHGHGHGHGHHGHG!!! > > First, delete /.autofsck. That will stop it from fsckin'g *everything* > every reboot. Second, is selinux in enforcing mode? In any case, have you > recently done major changes? If not, delete /.autorelabel, since an > selinux relabel takes a *while*, esp. if you have *lots* of files. > > mark > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos /.autorelabel gets created on all SELinux disabled systems. Since if you re-enable it, you will need a relabel. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 7 lockup
On 08/21/2014 02:09 PM, Les Mikesell wrote:
> On Thu, Aug 21, 2014 at 12:23 PM, wrote:
>> Les Mikesell wrote:
>>> A machine I set up to run OpenNMS stopped working last night - no
>>> hardware alarm lights, but keyboard/monitor/network unresponsive.
>>> After a reboot I see a large stack of messages like this in
>>> /var/log/messages:
>>>
>>>
>>> Aug 20 14:02:34 opennms-h-03 python: SELinux is preventing
>>> /usr/sbin/monitor-get-edid-using-vbe from mmap
>>> _zero access on the memprotect .
>>> --
>>> and then this final message
>>>
>>> Aug 20 14:02:42 opennms-h-03 dbus-daemon: 'list' object has no attribute
>>> 'split'
>>>
>>>
>>> Do either of those look fatal? And where else should I look for the
>>> underlying problem?
>>>
>> Looks like all selinux to me, esp. the wording. Is it in enforcing mode? I
>> wonder if it's possible that there's a bug in an selinux policy that
>> results in "IT'S NOT SAFE!!! SHUT IT DOWN!!!".
> /var/log/audit/audit.log says:
> type=AVC msg=audit(1408478520.792:7016): avc: denied { mmap_zero }
> for pid=17977 comm="monitor-get-edi"
> scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
> tclass=memprotect
>
> which isn't particularly readable but I would guess means that it
> blocked the ocsinventory-agent from getting the monitor type. Not
> sure why that is supposed to be helpful, but it also doesn't sound
> fatal. And somewhat irrelevant on a normally headless server.
>
> Does that dbus error looks serious?
> Aug 20 14:02:42 opennms-h-03 dbus-daemon: 'list' object has no attribute
> 'split'
>
> --
>Les Mikesell
> lesmikes...@gmail.com
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
mmap_zero is a fairly dangerous access. It means the object is
attempting to memeory map
low memory in the kernel. Bugs in the kernel have been known to allow
priv escallation, can be prevented by this check.
http://eparis.livejournal.com/
Talks about the access check.
I usually tell people to avoid these apps, but if you need to run it,
you can turn the protection off as the alert told you.
setsebool -P mmap_low_allowed 1
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux vs. logwatch and virsh
On 08/18/2014 02:13 PM, Bill Gee wrote:
> Hi Dan -
>
> "ausearch -m avc -ts recent" produces no output. If I run it as "ausearch -f
> virsh" then it produces output similar to this. Each day's run of logwatch
> produces three of these audit log entries. The a1 and a2 values are
> different
> for each entry, but everything else is the same.
>
> ===
> time->Mon Aug 18 03:21:03 2014
> type=SYSCALL msg=audit(1408350063.257:7492): arch=c03e syscall=21
> success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640 items=0
> ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=981 comm="bash" exe="/usr/bin/bash"
> subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1408350063.257:7492): avc: denied { read } for pid=2816
> comm="bash" name="virsh" dev="dm-0" ino=135911290
> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
> ===
>
> I thought about using audit2allow as you suggest. The problem is then I
> don't
> really know what change is required. What exactly will it do? And is there
> a
> guarantee that it will work?
logwatch is executing virsh probably to communicate with libvirt to
rotate logs or something. You can look in /etc/logrotate.d for a script
with virsh to tell you what the command is trying to do.
> Regarding your general question ... It seems to me that logwatch can be used
> to provide feedback on operational status of almost anything on the system.
> If you go beyond the typical reading of log files, then that often requires
> running some script or utility program or something. Anytime that is done, I
> think this kind of problem will appear.
Right, but I am looking for packages that drop logrotate scripts rather
then just thowing in the tile and saying lograte
is an unconfined domain. If a package ships a script that SELinux will
break, I want to know what is the risk of a
hacked logrotate executable causing havoc on a system. Potentially I
can add a boolean to policy to allow the access
but deny it by default.
> Much of what logwatch does is running files through "cat". That process runs
> as "bin_t" which must be a general type. I wonder what would happen if I
> changed virsh to the same type.
You could try that, I think you will end up with other AVC's concerning
logratote talking to libvirt.
> For what it is worth, I have another computer running CentOS 6.5 and
> VirtualBox. The VBoxManage program must run as the same user which is
> running
> the virtual machines, which frustrates me to no end. I finally figured out a
> way to work around it by setting up a user cron job under that user. It
> saves
> the output to a text file. The logwatch script then comes along and reads
> that
> file into its output. It works, but it is not ideal. There are obvious
> problems with synchronization, plus if a computer is running VMs under
> multiple user accounts, then multiple user cron jobs are needed.
>
> Thanks - Bill Gee
>
>
> =
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> What AVC messages are you seeing?
>
> ausearch -m avc -ts recent.
> I would put the machine in permissive mode, run your tests and then add
> the allow rules using
>
> audit2allow -M mylogwatch
>
>
>
>
>
> Message: 8
> Date: Fri, 15 Aug 2014 11:22:40 -0400
> From: Daniel J Walsh
> Subject: Re: [CentOS] SELinux vs. logwatch and virsh
> To: CentOS mailing list
> Message-ID: <53ee25c0.3040...@redhat.com>
> Content-Type: text/plain; charset=windows-1252
>
>
> On 08/14/2014 11:02 AM, Bill Gee wrote:
>> Hello everyone -
>>
>> I am stumped ... Does anyone have suggestions on how to proceed? Is there
> a way
>> to get what I want?
>>
>> The environment: CentOS 7.0 with latest patches.
>>
>> The goal: I want logwatch to include a report on the status of kvm virtual
> computers.
>> The problem: When run from anacron, SELinux denies permission for the virsh
> utility.
>> Here is a portion of the logwatch output:
>>
>> - KVM libvirt status report Begin
>
>> Date Range: yesterday
>> /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission
> denied
>>
>> -- KVM libvirt status report End
> -
>>
Re: [CentOS] SELinux vs. logwatch and virsh
On 08/14/2014 11:02 AM, Bill Gee wrote: > Hello everyone - > > I am stumped ... Does anyone have suggestions on how to proceed? Is there a > way > to get what I want? > > The environment: CentOS 7.0 with latest patches. > > The goal: I want logwatch to include a report on the status of kvm virtual > computers. > > The problem: When run from anacron, SELinux denies permission for the virsh > utility. > Here is a portion of the logwatch output: > > - KVM libvirt status report Begin > > > Date Range: yesterday > /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission > denied > > -- KVM libvirt status report End > - > > If I "run-parts /etc/cron.daily" from a root console, it all works. Same if > I run "logwatch" > from a root console. > > I set SELinux to permissive and that allows virsh to run. Therefore I know > it is > something to do with SELinux. > > The logwatch script is: > > #Lots of comments > /usr/bin/virsh list --all > > I see the selinux security context of virsh is > > system_u:object_r:virsh_exec_t:s0 > > while logwatch.pl runs as > > system_u:object_r:logwatch_exec_t:s0 > > As I understand it, selinux does not permit having multiple type settings for > a file. Any > file can have exactly one type setting. > > I ran this command hoping it would add another type to the virsh program. > > semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh > > semanage fcontext --list /usr/bin/virsh | grep virsh > /usr/bin/virsh all files > system_u:object_r:logwatch_exec_t:s0 > /usr/bin/virsh regular file > system_u:object_r:virsh_exec_t:s0 > /usr/sbin/xl regular file > system_u:object_r:virsh_exec_t:s0 > /usr/sbin/xm regular file > system_u:object_r:virsh_exec_t:s0 > > Semanage did add the new type, but that did not fix the problem. Virsh still > gets > "permission denied" when logwatch tries to run it. > > Thanks - Bill Gee > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos BTW if you think this is something we should do in general in such a way as logwatch can only look at the content in Read Only mode, then we might want it to become default. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux vs. logwatch and virsh
On 08/14/2014 11:02 AM, Bill Gee wrote: > Hello everyone - > > I am stumped ... Does anyone have suggestions on how to proceed? Is there a > way > to get what I want? > > The environment: CentOS 7.0 with latest patches. > > The goal: I want logwatch to include a report on the status of kvm virtual > computers. > > The problem: When run from anacron, SELinux denies permission for the virsh > utility. > Here is a portion of the logwatch output: > > - KVM libvirt status report Begin > > > Date Range: yesterday > /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission > denied > > -- KVM libvirt status report End > - > > If I "run-parts /etc/cron.daily" from a root console, it all works. Same if > I run "logwatch" > from a root console. > > I set SELinux to permissive and that allows virsh to run. Therefore I know > it is > something to do with SELinux. > > The logwatch script is: > > #Lots of comments > /usr/bin/virsh list --all > > I see the selinux security context of virsh is > > system_u:object_r:virsh_exec_t:s0 > > while logwatch.pl runs as > > system_u:object_r:logwatch_exec_t:s0 > > As I understand it, selinux does not permit having multiple type settings for > a file. Any > file can have exactly one type setting. > > I ran this command hoping it would add another type to the virsh program. > > semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh > > semanage fcontext --list /usr/bin/virsh | grep virsh > /usr/bin/virsh all files > system_u:object_r:logwatch_exec_t:s0 > /usr/bin/virsh regular file > system_u:object_r:virsh_exec_t:s0 > /usr/sbin/xl regular file > system_u:object_r:virsh_exec_t:s0 > /usr/sbin/xm regular file > system_u:object_r:virsh_exec_t:s0 > > Semanage did add the new type, but that did not fix the problem. Virsh still > gets > "permission denied" when logwatch tries to run it. > > Thanks - Bill Gee > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos What AVC messages are you seeing? ausearch -m avc -ts recent. I would put the machine in permissive mode, run your tests and then add the allow rules using audit2allow -M mylogwatch ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] when will docker 1.1.2 for rhel7 be released?
We are working on an update to docker within RHEL7. First we are releasing it to our High Touch Beta process. If you are on HTB you should see a release in the next week. On 08/12/2014 08:54 AM, Jim Perrin wrote: > > On 08/11/2014 07:02 PM, Dennis Jacobfeuerborn wrote: > >> Looks like docker-io-1.0.0 is available in EPEL: >> http://dl.fedoraproject.org/pub/epel/beta/7/x86_64/repoview/docker-io.html > This package is due to be removed from EPEL soon, because of EPEL's > policy of not competing/conflicting with base offerings. I wouldn't rely > on this particular package > > >> If you really want to use the latest version of docker you cannot rely >> on RHEL packages though as they only get updated with important fixes >> and usually only with point releases (unless it's a security bug). > > Keep in mind that docker is part of upstream's 'Extras' repository, > which doesn't have the same lifecycle that the rest of EL7 has. It's a > shorter 18 month cycle I believe, so you might very well see re-basing > going on there. > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsyslog does not log on a separate partition/FS mounted on /var/log/
On 08/07/2014 05:48 AM, Arun Khan wrote: > SOLVED > > On Wed, Aug 6, 2014 at 10:28 PM, James A. Peltier wrote: >> - Original Message - >> | On Wed, Aug 06, 2014 at 04:50:41PM +, Tony Mountifield wrote: >> | > >> | > Probably rsyslog is being started before /var/log is mounted, and >> | > so it >> | > is opening files within /var/log on the root device. >> | >> | rsyslog should start after local mounts are finished. >> | >> | I suspect it's selinux; /var/log should have a "var_log_t" context >> | and I >> | suspect it doesn't. >> >> running a restorecon -vv on /var/log should correct that automatically I >> would think. >> > I had suspected SElinux and have it disabled still rsyslogd was not > logging on the new device mounted on /var/log/ > > *** restorecon -vv /var/log does the trick! *** > > @ James A. Peltier Thank you! > > FWIW - here are the steps > > 1. service rsyslog stop > 2. mount /mnt/ > 3. rsync -aP /var/log/ /mnt/ > 4. rm -fr /var/log/* > 5. umount /mnt > 6. mount /var/log/ (also make change to /etc/fstab) > 7. restorecon -vv /var/log <<< the solution > 8. service rsyslog start. > 9. logger "this is a test" > 10. tail /var/log/messages to verify that indeed the logger string was logged. > > -- Arun Khan > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos If restorecon fixes the problem, then you never disabled SELinux If you untar files into a location, you should always run restorecon on the directory to fix the SELinux labels. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7 Anaconda GUI resolution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/10/2014 08:28 PM, Johnny Hughes wrote: > On 07/10/2014 08:01 PM, Daniel Johnson wrote: >> Under the normal boot from the normal DVD, graphics-mode output >> is discolored and squashed to the left of the display. In the >> "Basic Graphics" troubleshooting mode the output is clear and >> proper, but still just 640x480. > There is a basic video install in the 3rd selection when you boot > the iso .. in the "Troubleshooting" section. You might give that a > try and see if it works better after boot of the OS. The anaconda > drivers are a subset of the drivers for the distro, so it might > work better after initial. > > Might also try one of the LiveGnome or LiveKDE isos. Thanks! I did try Basic Graphics before, and while it made the image clear and distortion-free it was still 640x480. While browsing bugs.centos.org I saw a reference to using "vga=773" to fix the resolution in VMware Fusion/Workstation, but it had no effect on the physical server's GUI when I tried it. The same bug post mentioned putting "text" on the kernel line. I didn't think that was supported on CentOS 7, should that be in the Troubleshooting menu too? I'm using that to get the server at least basically loaded for now, I'll go back later and tweak the auto-generated KS file to re-install the way I want it. [https://bugs.centos.org/view.php?id=7313] Daniel Johnson djohn...@progman.us -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlO/SNwACgkQ6vGcUBY+ge+TQwCgnOrbVYhnkBnvBKTrO5S7gVxm w6YAoP6uqucDWxYS13KRVIMveNcXqpUU =Ujb9 -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 7 Anaconda GUI resolution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings! I tried installing CentOS v7 (1406) to an old spare machine, and the video card apparently don't play well with X. It is incorrectly saying that either monitor I connect is only able to support 640x480, when one is 1024x768 and the other supports a higher (but now forgotten) resolution. In no way do I expect a fix to be added just to support my antique. :) What I'd like to find, or have added to future CentOS installation discs, is a way to force the GUI resolution. Alternately, if nothing below 800x600 will show the GUI properly perhaps the installer should just forcibly set that as the minimum, no matter what the hardware claims to allow? Details of the hardware and such follow, let me know if you need more. =-=-=-=-=-= Under the normal boot from the normal DVD, graphics-mode output is discolored and squashed to the left of the display. In the "Basic Graphics" troubleshooting mode the output is clear and proper, but still just 640x480. Server: Gateway E-9422R Video card: Matrox Graphics MGA G200e, PCI 102b:0522 I captured the output of lspci, dmidecode, /tmp, and /var/log in both Normal and Basic Graphics boot modes. The file is 1,692,776 bytes and has the following SHA1 checksum: f9cd800ced963e29d0bb3e4381596dc3b61a4c4c *CentOS7_InstallerResolutionProblem.tar.xz It can be downloaded from this link: http://s000.tinyupload.com/index.php?file_id=55151826488339350948 Daniel Johnson djohn...@progman.us -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlO/N1gACgkQ6vGcUBY+ge+5CwCgnRG1En1ZORoj5Q8tKFyApX13 xukAoJ309KaZJjZAc69REBz9p0J9Yxum =iTJm -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux context for web application directories
On 06/27/2014 11:47 AM, James B. Byrne wrote: > CentOS-6.5 > > We deploy web applications written with the Ruby on Rails framework using > Capistrano (2.x). Each 'family' of web applications are 'owned' by a > dedicated user id. The present httpd service is Apache 2.2.15 and we use > Passenger 3.0.11. We are moving shortly to a new deployment host and at that > time we will be updating to Apache 2.4.9 and Passenger 4..0.25. > > Our deployment practice is to place the 'family' directory under /var/data/. > This is the home directory of the application user id. We place each > individual web application or component into its own directory underneath the > family root. So that things look like this: > > /var/data/hll_th > ├── backups > │ └── pgsql > ├── etc > │ └── database.yml > ├── hll_th_cc_edi_get > │ ├── current -> > /var/data/hll_th/hll_th_forex_rss/releases/20140519201615 > │ ├── releases > │ └── shared > ├── hll_th_forex_rss > │ ├── current -> > /var/data/hll_th/hll_th_forex_rss/releases/20131204193652 > │ ├── releases > │ └── shared > ├── hll_th_hp3000_billing > │ ├── current -> > /var/data/hll_th/hll_th_forex_rss/releases/20140214211431 > │ ├── releases > │ └── shared > ├── log > ├── lost+found > └── pgpass -> .pgpass > > The questions I have are: What is an appropriate SELinux context for such a > directory structure given it is used by a httpd service? Is the default user > home setting of system_u:object_r:home_root_t acceptable? Is > system_u:object_r:httpd_sys_content_t preferable instead? is some other > SELinux context preferred for RoR web applications using Apache with > mod-passenger? > > I would think that httpd_sys_content_t and httpd_sys_rw_content_t would be appropriate. These are not real user accounts, meaning normal users do not login to these systems. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mail delivery question
On 06/20/2014 03:15 PM, Chuck Campbell wrote:
> I've built a new mail system with Centos 6.5, and I'm running fetchmail -
> sendmail - procmail to maildir. I have all of this working at the moment.(I
> know, postfix was the default, but for lots of other reasons, I switched, and
> that isn't an issue, I don't think).
>
> I am using dovecot as an imap server. Procmail won't update indexes during
> email
> delivery, so I'm having some performance delays and lags when accessing the
> emails via imap. I would like to use dovecot-lda for delivery, but I get
> permission denied errors, and I don't know why or where they are coming from.
>
> Here is the .procmailrc and procmail log file response when I try to use
> dovecot-lda from procmail:
>
> .procmailrc
>
> SHELL=/bin/sh
> PATH=$HOME/bin:/bin:/usr/bin:/usr/local/bin:/usr/contrib/bin:.
> # one page suggested MAILDIR has no trailing slash, but DEFAULT should have
> one
> MAILDIR=$HOME/Maildir/ # You'd better make sure it exists '
> DEFAULT=$MAILDIR
> LOGFILE="$HOME/procmail_log"
> LOCKFILE="$HOME/.lockmail"
> LOCKEXT=.lock
> :0
> * .
> {
> LOG="$NL default recipe using copy to .ham_to_learn/ (maildir version) $NL"
> }
> :0 c
> .ham_to_learn/
> :0
> | /usr/libexec/dovecot/deliver -m $DEFAULT
>
>
> I get this in my log file:
>
> procmail: [27709] Fri Jun 20 14:00:17 2014
> default recipe using copy to .ham_to_learn/ (maildir version)
> procmail: Assigning "LASTFOLDER=.ham_to_learn/new/1403290809.27709_3.helium"
> procmail: Assigning "LASTFOLDER=/usr/libexec/dovecot/deliver -m
> /home/campbell/Maildir/"
> procmail: Notified comsat: "campbell@:/usr/libexec/dovecot/deliver -m
> /home/campbell/Maildir/"
> >From campb...@accelinc.com Fri Jun 20 14:00:06 2014
> Subject: Re: Uruguay gravity model description
> Folder: /usr/libexec/dovecot/deliver -m /home/campbell/Maildir/
> 10470
> procmail: Unlocking "/home/campbell/.lockmail"
> procmail: Executing "/usr/libexec/dovecot/deliver,-m,/home/campbell/Maildir/"
> /bin/sh: /usr/libexec/dovecot/deliver: Permission denied
>
> ls -laFZ /usr/libexec/
>
> drwxr-xr-x. root root system_u:object_r:bin_t:s0 dovecot/
>
>
> ls -laFZ /usr/libexec/dovecot
>
> lrwxrwxrwx. root root system_u:object_r:bin_t:s0 deliver -> dovecot-lda*
> -rwxr-xr-x. root root system_u:object_r:dovecot_deliver_exec_t:s0 dovecot-lda*
>
>
> It doesn't matter whether I reference the link file, or dovecot-lda directly,
> I
> get the same result.
>
> I'm not getting any AVC (SELinux) entries in my /var/log/audit/audit.log, so
> it
> doesn't appear to be unix permissions, or SELinux issues.
> How can I find out what permissions I need to change?
>
> -chuck
>
>
> --
> current working (but not indexing) examples below here.
>
> Two versions using procmail for delivery that succeed:
>
>
> If my .procmailrc file that looks like this:
>
> SHELL=/bin/sh
> PATH=$HOME/bin:/bin:/usr/bin:/usr/local/bin:/usr/contrib/bin:.
> # one page suggested MAILDIR has no trailing slash, but DEFAULT should have
> one
> MAILDIR=$HOME/Maildir/ # You'd better make sure it exists '
> DEFAULT=$MAILDIR
> LOGFILE="$HOME/procmail_log"
> LOCKFILE="$HOME/.lockmail"
> LOCKEXT=.lock
> :0
> * .
> {
> LOG="$NL default recipe using copy to .ham_to_learn/ (maildir version) $NL"
> }
> :0 c
> .ham_to_learn/
>
>
> I get this in my log file:
>
> procmail: [27580] Fri Jun 20 13:37:55 2014
> default recipe using copy to .ham_to_learn/ (maildir version)
> procmail: Assigning "LASTFOLDER=.ham_to_learn/new/1403289475.27580_2.helium"
> procmail: Assigning
> "LASTFOLDER=/home/campbell/Maildir/new/1403289475.27580_3.helium"
> procmail: Notified comsat:
> "campbell@0:/home/campbell/Maildir/new/1403289475.27580_3.helium"
> >From campb...@accelinc.com Fri Jun 20 13:37:55 2014
> Subject: t41
> Folder: /home/campbell/Maildir/new/1403289475.27580_3.helium
> 4299
> procmail: Unlocking "/home/campbell/.lockmail"
>
> I get a copy in my inbox and a copy in my ham to learn folder. All appears OK
>
> If I use this recipe:
>
> SHELL=/bin/sh
> PATH=$HOME/bin:/bin:/usr/bin:/usr/local/bin:/usr/contrib/bin:.
> # one page suggested MAILDIR has no trailing slash, but DEFAULT should have
> one
> MAILDIR=$HOME/Maildir/ # You'd better make sure it exists '
> DEFAULT=$MAILDIR
> LOGFILE="$HOME/procmail_log"
> LOCKFILE="$HOME/.lockmail"
> LOCKEXT=.lock
> :0
> * .
> {
> LOG="$NL default recipe using copy to .ham_to_learn/ (maildir version) $NL"
> }
> :0 c
> .ham_to_learn/
> :0
> $DEFAULT
>
> I get this in my log file (same as above, all is well):
>
> procmail: [27646] Fri Jun 20 13:46:25 2014
> default recipe using copy to .ham_to_learn/ (maildir version)
> procmail: Assigning "LASTFOLDER=.ham_to_learn/new/1403289985.27646_2.helium"
> procmail: Assigning
> "LASTFOLDER=/home/campbell/Maildir/new/1403289985.27646_3.helium"
> procmail: Notified comsat:
> "campbell@0:/home/campbell/Maildir/new/1403289985.27646_
Re: [CentOS] SELinux issue?
On 06/16/2014 11:13 AM, m.r...@5-cent.us wrote: > Chuck Campbell wrote: >> I've recently built a new mail server with centos6.5, and decided to bite >> the bullet and leave SELinux running. I've stumbled through making > things work >> and am mostly there. >> >> I've got my own spam and ham corpus as mbox files in >> /home/user/Mail/learned. >> These files came from my backup of the centos 5 server this machine is >> replacing. >> >> The folder is owned by the user (the following is run as root): >> ls -laF learned >> drw---. 6 user group 4096 Jun 10 03:35 ./ >> drw---. 6 user group 35864Jun 10 03:35 ../ >> drw---. 6 user group 4096 Jun 10 03:35 2004/ >> -rw---. 6 user group 155296 Jun 10 03:35 2014_10_Jun_learned_spam >> -rw---. 6 user group 996584 Jun 10 03:35 2014_10_Jun_learned_ham >> >> also as root: >> ls -laZlearned >> drw---. 6 user group unconfined_u:object_r:mail_spool_t:s0. >> drw---. 6 user group unconfined_u:object_r:mail_spool_t:s0.. >> drw---. 6 user group unconfined_u:object_r:mail_spool_t:s02004 >> -rw---. 6 user group >> system_u:object_r:mail_spool_t:s02014_10_Jun_learned_spam >> -rw---. 6 user group >> system_u:object_r:mail_spool_t:s02014_10_Jun_learned_ham >> >> When I do the same as the user, I get this: >> ls -laF learned >> ls: cannot access learned/2004: Permission denied >> ls: cannot access 2014_10_Jun_learned_spam: Permission denied >> ls: cannot access 2014_10_Jun_learned_ham: Permission denied > > Yup, you will. The *directories* have to be executable for you to look in > them. > > mark > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I think this is more of a DAC issue as Mark has said. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] /etc/bash_completion.d/git generates permissions errors
On 05/28/2014 12:55 PM, James B. Byrne wrote: > I did a yum update to my desktop machine as root this morning and now my > regular logon account sees this whenever I press the enter key: > > etc/audisp/audispd.conf: Permission denied > etc/audisp/plugins.d/af_unix.conf: Permission denied > etc/audisp/plugins.d/syslog.conf: Permission denied > etc/audit/audit.rules: Permission denied > etc/audit/auditd.conf: Permission deniedetc/dhcp/dhclient.d/ntp.sh: Permission > denied > etc/libvirt/libvirt.conf: Permission denied > etc/libvirt/libvirtd.conf: Permission denied > etc/libvirt/lxc.conf: Permission denied > etc/libvirt/nwfilter/allow-arp.xml: Permission denied > etc/libvirt/nwfilter/allow-dhcp-server.xml: Permission denied > etc/libvirt/nwfilter/allow-dhcp.xml: Permission denied > etc/libvirt/nwfilter/allow-incoming-ipv4.xml: Permission denied > etc/libvirt/nwfilter/allow-ipv4.xml: Permission denied > etc/libvirt/nwfilter/clean-traffic.xml: Permission denied > > . . . > > etc/lvm/backup/vg_vhost04: Permission denied > etc/lvm/backup/vg_xnet241: Permission denied > etc/lvm/backup/vg_xnet242: Permission denied > etc/lvm/backup/vg_xnet243: Permission denied > etc/ntp/crypto/pw: Permission denied > etc/selinux/targeted/modules/active/base.pp: Permission denied > etc/selinux/targeted/modules/active/commit_num: Permission denied > etc/selinux/targeted/modules/active/file_contexts: Permission denied > etc/selinux/targeted/modules/active/file_contexts.homedirs: Permission denied > etc/selinux/targeted/modules/active/file_contexts.local: Permission denied > etc/selinux/targeted/modules/active/file_contexts.template: Permission denied > > . . . > > root/iaxmodem-debuginfo-1.2.0-1.el6.x86_64.rpm: Permission denied > root/ifcfg-br0: Permission denied > root/ifcfg-br1: Permission denied > root/ifcfg-eth0: Permission denied > root/ifcfg-eth0:xxx: Permission denied > root/ifcfg-eth1: Permission denied > root/install.log: Permission denied > root/install.log.syslog: Permission denied > root/internal_call.trace: Permission denied > root/iptables.gateway.revised: Permission denied > root/iptables.gway01.20130517: Permission denied > root/iptables.inet09-2012-12-31: Permission denied > root/jcameron-key.asc: Permission denied > root/locale_en...@-mmm-dd.tar.gz: Permission denied > root/more_or_less_commands.txt: Permission denied > root/named.conf.bind-9.8.2-default-2013-07-04: Permission denied > root/named.conf.inet01-dns01-2013-07-04: Permission denied > root/named.conf.inet03-dnm-2013-07-04: Permission denied > root/pg_hba.conf: Permission denied > root/pg_ident.conf: Permission denied > root/pgadmin.log: Permission denied > root/pgdg-91-centos.repo: Permission denied > root/ping_host.sh: Permission denied > root/ping_http.sh: Permission denied > root/postgresql.conf: Permission denied > root/root_voinet09.tgz: Permission denied > root/rsync_control.tgz: Permission denied > root/rsync_inet01.sh: Permission denied > root/rsync_inet02.sh: Permission denied > root/rsync_inet03.sh: Permission denied > root/rsync_inet04.sh: Permission denied > root/rsync_inet05.sh: Permission denied > root/rsync_inet06.sh: Permission denied > root/rsync_inet07.sh: Permission denied > root/rsync_inet08.sh: Permission denied > root/rsync_inet09.sh: Permission denied > root/rsync_voinet09_freepbx.sh: Permission denied > root/rsync_xnet241_home_byrnejb.sh: Permission denied > root/ttyS0.conf: Permission denied > root/vimsetup.tgz: Permission denied > root/virtinstallscript: Permission denied > root/voinet01_pki.tgz: Permission denied > root/xTuple-3.8.2-linux-installer.run: Permission denied > > I traced this back to this statement in ~/.bash_profile > > source /etc/bash_completion.d/git > > Removing this statement allows new terminal sessions for my regular account to > work as they did before - in other words without the massive list of > permissions errors. This file comes from the git package in base: > > $ yum provides /etc/bash_completion.d/git > . . . > 129 packages excluded due to repository priority protections > git-1.7.1-3.el6_4.1.x86_64 : Fast Version Control System > Repo: base > Matched from: > Filename: /etc/bash_completion.d/git > > > My question is: what is in /etc/bash_completion.d/git that is causing this? > > Are you running with a confined user? id -Z? Is this an SELinux issue? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] abrt dump qt selinux
Was the system running out of memory. semodule is very memory intensive. On 05/20/2014 01:57 PM, Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC] wrote: > Hi all, > > Note: selinux was in permissive prior to error > > Got this with a yum update: > > abrt_version: 2.0.8 > cgroup: > cmdline:semodule -n -r oracle-port -b base.pp.bz2 -i > accountsd.pp.bz2 ada.pp.bz2 cachefilesd.pp.bz2 cpufreqselector.pp.bz2 > chrome.pp.bz2 awstats.pp.bz2 abrt.pp.bz2 aiccu.pp.bz2 amanda.pp.bz2 > afs.pp.bz2 apache.pp.bz2 arpwatch.pp.bz2 audioentropy.pp.bz2 > asterisk.pp.bz2 automount.pp.bz2 avahi.pp.bz2 boinc.pp.bz2 bind.pp.bz2 > bugzilla.pp.bz2 dirsrv.pp.bz2 dirsrv-admin.pp.bz2 dnsmasq.pp.bz2 > bluetooth.pp.bz2 canna.pp.bz2 ccs.pp.bz2 calamaris.pp.bz2 > cdrecord.pp.bz2 certwatch.pp.bz2 certmaster.pp.bz2 certmonger.pp.bz2 > cipe.pp.bz2 chronyd.pp.bz2 cobbler.pp.bz2 comsat.pp.bz2 > consolekit.pp.bz2 cups.pp.bz2 cvs.pp.bz2 cyphesis.pp.bz2 cyrus.pp.bz2 > daemontools.pp.bz2 dbskk.pp.bz2 dcc.pp.bz2 devicekit.pp.bz2 > dhcp.pp.bz2 dictd.pp.bz2 dovecot.pp.bz2 gitosis.pp.bz2 gpg.pp.bz2 > gpsd.pp.bz2 git.pp.bz2 gpm.pp.bz2 ethereal.pp.bz2 fail2ban.pp.bz2 > fetchmail.pp.bz2 finger.pp.bz2 firewallgui.pp.bz2 fprintd.pp.bz2 > ftp.pp.bz2 games.pp.bz2 gnome.pp.bz2 gnomeclock.pp.bz2 hal.pp.bz2 > hddtemp.pp.bz2 passenger.pp.bz2 permissivedomains.pp.bz2 > policykit.pp.bz2 puppet.pp.bz2 ptchown.pp.bz2 psad.pp.bz2 howl.pp.bz2 > inn.pp.bz2 ipsec.pp.bz2 irc.pp.bz2 iscsi.pp.bz2 icecast.pp.bz2 > jabber.pp.bz2 java.pp.bz2 execmem.pp.bz2 kdump.pp.bz2 kdumpgui.pp.bz2 > ksmtuned.pp.bz2 kerberos.pp.bz2 ktalk.pp.bz2 ldap.pp.bz2 > likewise.pp.bz2 lockdev.pp.bz2 lpd.pp.bz2 lircd.pp.bz2 mailman.pp.bz2 > mono.pp.bz2 mozilla.pp.bz2 ntop.pp.bz2 nslcd.pp.bz2 nsplugin.pp.bz2 > modemmanager.pp.bz2 mpd.pp.bz2 mplayer.pp.bz2 gpg.pp.bz2 mrtg.pp.bz2 > mysql.pp.bz2 nagios.pp.bz2 ncftool.pp.bz2 nis.pp.bz2 ntp.pp.bz2 > nut.pp.bz2 nx.pp.bz2 oddjob.pp.bz2 openvpn.pp.bz2 pcscd.pp.bz2 > openct.pp.bz2 pegasus.pp.bz2 piranha.pp.bz2 postgresql.pp.bz2 > portmap.pp.bz2 postfix.pp.bz2 postgrey.pp.bz2 ppp.pp.bz2 > procmail.pp.bz2 privoxy.pp.bz2 publicfile.pp.bz2 pulseaudio.pp.bz2 > pyzor.pp.bz2 qmail.pp.bz2 qpidd.pp.bz2 radius.pp.bz2 radvd.pp.bz2 > razor.pp.bz2 rhcs.pp.bz2 clogd.pp.bz2 cmirrord.pp.bz2 rhgb.pp.bz2 > rdisc.pp.bz2 remotelogin.pp.bz2 ricci.pp.bz2 rlogin.pp.bz2 > roundup.pp.bz2 rshd.pp.bz2 rsync.pp.bz2 rtkit.pp.bz2 rwho.pp.bz2 > samba.pp.bz2 sandbox.pp.bz2 sanlock.pp.bz2 sambagui.pp.bz2 sasl.pp.bz2 > screen.pp.bz2 seunshare.pp.bz2 shutdown.pp.bz2 sectoolm.pp.bz2 > slocate.pp.bz2 smartmon.pp.bz2 smokeping.pp.bz2 smoltclient.pp.bz2 > snmp.pp.bz2 spamassassin.pp.bz2 squid.pp.bz2 sssd.pp.bz2 > stunnel.pp.bz2 sysstat.pp.bz2 tcpd.pp.bz2 tgtd.pp.bz2 usbmuxd.pp.bz2 > unconfined.pp.bz2 unlabelednet.pp.bz2 ulogd.pp.bz2 vhostmd.pp.bz2 > wdmd.pp.bz2 wine.pp.bz2 telepathy.pp.bz2 userhelper.pp.bz2 tor.pp.bz2 > tvtime.pp.bz2 uml.pp.bz2 usbmodules.pp.bz2 usernetctl.pp.bz2 > xen.pp.bz2 varnishd.pp.bz2 virt.pp.bz2 qemu.pp.bz2 telnet.pp.bz2 > tftp.pp.bz2 tuned.pp.bz2 uucp.pp.bz2 webalizer.pp.bz2 xfs.pp.bz2 > zebra.pp.bz2 vpn.pp.bz2 tmpreaper.pp.bz2 amtu.pp.bz2 zabbix.pp.bz2 > apcupsd.pp.bz2 aide.pp.bz2 w3c.pp.bz2 plymouthd.pp.bz2 > portreserve.pp.bz2 rpcbind.pp.b.bz2 prelude.pp.bz2 pads.pp.bz2 > kerneloops.pp.bz2 openoffice.pp.bz2 podsleuth.pp.bz2 guest.pp.bz2 > xguest.pp.bz2 cgroup.pp.bz2 courier.pp.bz2 denyhosts.pp.bz2 > livecd.pp.bz2 snort.pp.bz2 memcached.pp.bz2 netlabel.pp.bz2 > zosremote.pp.bz2 pingd.pp.bz2 milter.pp.bz2 mediawiki.pp.bz2 > namespace.pp.bz2 vdagent.pp.bz2 matahari.pp.bz2 rhev.pp.bz2 > rhsmcertd.pp.bz2 lldpad.pp.bz2 zarafa.pp.bz2 drbd.pp.bz2 > fcoemon.pp.bz2 ctdbd.pp.bz2 sblim.pp.bz2 uuidd.pp.bz2 cloudform.pp.bz2 > condor.pp.bz2 sge.pp.bz2 cfengine.pp.bz2 condor.pp.bz2 nova.pp.bz2 > keystone.pp.bz2 glance.pp.bz2 quantum.pp.bz2 sensord.pp.bz2 > bcfg2.pp.bz2 slpd.pp.bz2 pkcsslotd.pp.bz2 l2tpd.pp.bz2 svnserve.pp.bz2 > numad.pp.bz2 glusterd.pp.bz2 openshift.pp.bz2 openshift-origin.pp.bz2 > rhnsd.pp.bz2 antivirus.pp.bz2 openvswitch.pp.bz2 dspam.pp.bz2 > lldpad.pp.bz2 watchdog.pp.bz2 oracleasm.pp.bz2 smstools.pp.bz2 > openhpid.pp.bz2 -s targeted > executable: /usr/sbin/semodule > kernel: 2.6.32-431.11.2.el6.x86_64 > last_occurrence: 1400595287 > pid:977 > pwd:/usr/share/selinux/targeted > time: Tue 20 May 2014 02:14:47 PM UTC > uid:0 > username: root > > sosreport.tar.xz: Binary file, 6274616 bytes > > environ: > :HOSTNAME=ourhostisaveryverynicehost > :TERM=xterm > :SHELL=/bin/bash > :HISTSIZE=1000 > :QTDIR=/usr/lib64/qt-3.3 > :QTINC=/usr/lib64/qt-3.3/include > :USER=root > :LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.l
Re: [CentOS] Centos 6.5 workaround needed for selinux "Could not open policy file" bug
On 05/20/2014 12:50 PM, Michael McNulty wrote: > I read about this bug in the Centos 6.2 faq and the link showing it fixed in > https://bugzilla.redhat.com/show_bug.cgi?id=769859 > but I am still getting it updating on a Centos 6.5 server that had selinux > disabled. I want to run selinux as permissive but it won't load now on reboot. > > I ran the yum update to apply this latest selinux update > http://lists.centos.org/pipermail/centos-announce/2014-May/020294.html > for centos-release-6-5.el6.centos.11.2.x86_64. > > Transaction Test Succeeded > Running Transaction > Installing : selinux-policy-3.7.19-231.el6_5.3.noarch > Installing : selinux-policy-targeted-3.7.19-231.el6_5.3.noarch > semodule: link.c:840: alias_copy_callback: Assertion `base_type->primary == > target_type->s.value' failed. > SELinux: Could not open policy file <= > /etc/selinux/targeted/policy/policy.24: No such file or directory > Verifying : selinux-policy-3.7.19-231.el6_5.3.noarch > Verifying : selinux-policy-targeted-3.7.19-231.el6_5.3.noarch > > Installed: > selinux-policy.noarch 0:3.7.19-231.el6_5.3 > > I tried yum reinstall, yum remove and yum install for selinux-policy-targeted > but I still receive the same error. I also enabled selinux as permissive and > rebooted but selinux still will not start as permissive. > > Anyone have a work around to get selinux working as permissive with this > condition? > > thx > > Mike > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos This seems strange. Try this. setenforce 0 rm -rf /etc/selinux yum reinstall selinux-policy selinux-policy-targeted restorecon -R -v /etc/selinux ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OpenDKIM and SELinux
On 05/13/2014 09:56 AM, James B. Byrne wrote: > On Mon, May 12, 2014 14:05, Daniel J Walsh wrote: > >>> dac_read_search and dac_override are usually bad to add. They typically >>> mean the permission flags on the file in question is two tight for a >>> root process to read/use. >>> >>> Loosing up the group/other permissions would probably allow a root >>> process to read the object without requiring these capabities. >> I just wrote a quick blog on this. >> >> https://danwalsh.livejournal.com/69478.html >> >> > So, to turn on full path reporting I do this: > > # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules > # service auditd restart > > My question is: what is the effect that "-w /etc/shadow -p w" has on SELinux > with respect to reporting the full path of file names in AVCs? In other > words, why does that work? > This rule above does not effect SELinux at all, specifically. The rule above tells the audit system to generate an audit messages any time a process writes to /etc/shadow. It has the side effect of telling the kernel to turn on full audit. Full audit gathers full paths before making a syscall, so if SELinux blocks a syscall, the PATH record gets generated. The problem with turning this on by default, it it has a fairly large performance hit. ~5%. We only want to turn on full auditing for people who require it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OpenDKIM and SELinux
On 05/12/2014 01:26 PM, Daniel J Walsh wrote:
> On 05/12/2014 09:17 AM, James B. Byrne wrote:
>> Following the most recent kernel updates I restarted our outgoing SMTP MTA
>> which was recently reconfigured to DKIM sign messages using OpenDKIM. This
>> morning I discovered that Postfix had stopped on that server. Whether it is
>> related to the Postfix issue or not is yet to be determined but, in the
>> process of getting things restarted I ran across this error with Open DKIM:
>>
>> # service opendkim restart
>> Stopping OpenDKIM Milter: [FAILED]
>> Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf:
>> refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied
>>[FAILED]
>>
>> I check the permissions and ownership on the file and everything seems
>> normal.
>> I then checked audit2why and got this:
>>
>> audit2allow: error: no such option: --
>> [root@inet08 opendkim]# audit2why -l -a
>> type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_read_search }
>> for
>> pid=15213 comm="opendkim" capability=2
>> scontext=unconfined_u:system_r:dkim_milter_t:s0
>> tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
>> Was caused by:
>> Missing type enforcement (TE) allow rule.
>>
>> You can use audit2allow to generate a loadable module to allow
>> this access.
>>
>> type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_override } for
>> pid=15213 comm="opendkim" capability=1
>> scontext=unconfined_u:system_r:dkim_milter_t:s0
>> tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
>> Was caused by:
>> Missing type enforcement (TE) allow rule.
>>
>> You can use audit2allow to generate a loadable module to allow
>> this access.
>>
>>
>>
>> We have been using dkim for a little while now and our dmarc records indicate
>> that messages from our domains should be signed so this problem needed an
>> immediate fix or workaround. What I ended up with was this .te file that
>> generates an SEModule which at least gets the service running. What else it
>> opens us up to I am not sure so I would appreciate some commentary on how I
>> should proceed to obtain a permanent fix:
>>
>>
>>
>> module localOpenDKIMmod 1.0;
>>
>> require {
>> type dkim_milter_t;
>> class capability { dac_read_search dac_override };
>> }
>>
>> #= dkim_milter_t ==
>> allow dkim_milter_t self:capability { dac_read_search dac_override };
>>
>>
>>
> dac_read_search and dac_override are usually bad to add. They typically
> mean the permission flags on the file in question is two tight for a
> root process to read/use.
>
> Loosing up the group/other permissions would probably allow a root
> process to read the object without requiring these capabities.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
I just wrote a quick blog on this.
https://danwalsh.livejournal.com/69478.html
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OpenDKIM and SELinux
On 05/12/2014 09:17 AM, James B. Byrne wrote:
> Following the most recent kernel updates I restarted our outgoing SMTP MTA
> which was recently reconfigured to DKIM sign messages using OpenDKIM. This
> morning I discovered that Postfix had stopped on that server. Whether it is
> related to the Postfix issue or not is yet to be determined but, in the
> process of getting things restarted I ran across this error with Open DKIM:
>
> # service opendkim restart
> Stopping OpenDKIM Milter: [FAILED]
> Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf:
> refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied
>[FAILED]
>
> I check the permissions and ownership on the file and everything seems normal.
> I then checked audit2why and got this:
>
> audit2allow: error: no such option: --
> [root@inet08 opendkim]# audit2why -l -a
> type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_read_search } for
> pid=15213 comm="opendkim" capability=2
> scontext=unconfined_u:system_r:dkim_milter_t:s0
> tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
> type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_override } for
> pid=15213 comm="opendkim" capability=1
> scontext=unconfined_u:system_r:dkim_milter_t:s0
> tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
>
>
> We have been using dkim for a little while now and our dmarc records indicate
> that messages from our domains should be signed so this problem needed an
> immediate fix or workaround. What I ended up with was this .te file that
> generates an SEModule which at least gets the service running. What else it
> opens us up to I am not sure so I would appreciate some commentary on how I
> should proceed to obtain a permanent fix:
>
>
>
> module localOpenDKIMmod 1.0;
>
> require {
> type dkim_milter_t;
> class capability { dac_read_search dac_override };
> }
>
> #= dkim_milter_t ==
> allow dkim_milter_t self:capability { dac_read_search dac_override };
>
>
>
dac_read_search and dac_override are usually bad to add. They typically
mean the permission flags on the file in question is two tight for a
root process to read/use.
Loosing up the group/other permissions would probably allow a root
process to read the object without requiring these capabities.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Opendkim and SELinux
On 05/05/2014 11:22 AM, James B. Byrne wrote: > CentOS-6.5 > OpenDKIM-2.9.0 (epel) > Postfix-2.6.6 (updates) > > I am trying to get opendkim working with our mailing lists. In the course of > that endeavour I note that these messages are appearing in our syslog: > > > May 4 20:50:02 inet08 setroubleshoot: SELinux is preventing > /usr/sbin/opendkim from using the signull access on a process. For complete > SELinux messages. run sealert -l 442cb257-3db2-488c-a92e-bfc936e16a0c > > May 4 20:55:25 inet08 setroubleshoot: SELinux is preventing > /usr/sbin/opendkim from using the dac_override capability. For complete > SELinux messages. run sealert -l c7c1199d-008d-4ae5-b61f-71a11edb0aa3 > > May 5 04:03:57 inet08 setroubleshoot: SELinux is preventing > /usr/sbin/opendkim from search access on the directory /sys. For complete > SELinux messages. run sealert -l 800523d5-0420-4038-9c7d-c2ec47c3bb6a > > > > Anyone have any guidance to e on as to what this means and how I get rid of > it, besides generating a custom policy I mean. > Attaching the output of the sealert command or the audit.log would help. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELInux and POSTFIX
On 04/25/2014 10:52 AM, James B. Byrne wrote: > On Wed, April 23, 2014 16:44, Daniel J Walsh wrote: >> Looks like this is allowed in rhel6.5 policy. You could try >> >> selinux-policy-3.7.19-235.el6 >> on people.redhat.com/dwalsh/SELinux/RHEL6 >> > yum --enablerepo=localfile update selinux\* > Loaded plugins: downloadonly, fastestmirror, priorities > Loading mirror speeds from cached hostfile > * Webmin: download.webmin.com > * base: centos.mirror.rafal.ca > * epel: fedora.mirror.nexicom.net > * extras: mirror.netflash.net > * updates: mirror.csclub.uwaterloo.ca > Setting up Update Process > Resolving Dependencies > --> Running transaction check > ---> Package selinux-policy.noarch 0:3.7.19-231.el6_5.1 will be updated > --> Processing Dependency: selinux-policy = 3.7.19-231.el6_5.1 for package: > selinux-policy-targeted-3.7.19-231.el6_5.1.noarch > --> Processing Dependency: selinux-policy = 3.7.19-231.el6_5.1 for package: > selinux-policy-targeted-3.7.19-231.el6_5.1.noarch > ---> Package selinux-policy.noarch 0:3.7.19-235.el6 will be an update > --> Finished Dependency Resolution > Error: Package: selinux-policy-targeted-3.7.19-231.el6_5.1.noarch (@updates) >Requires: selinux-policy = 3.7.19-231.el6_5.1 >Removing: selinux-policy-3.7.19-231.el6_5.1.noarch (@updates) >selinux-policy = 3.7.19-231.el6_5.1 >Updated By: selinux-policy-3.7.19-235.el6.noarch (localfile) >selinux-policy = 3.7.19-235.el6 >Available: selinux-policy-3.7.19-231.el6.noarch (base) >selinux-policy = 3.7.19-231.el6 > You could try using --skip-broken to work around the problem > You could try running: rpm -Va --nofiles --nodigest > > > I have these packages in /root/RPMS/repo/Packages: > > total 3776 > -rw-r--r--. 1 root root 69264 Apr 24 20:52 opendmarc-1.1.3-3.1.x86_64.rpm > -rw-r--r--. 1 root root 845052 Apr 23 16:41 > selinux-policy-3.7.19-235.el6.noarch.rpm > -rw-r--r--. 1 root root 2946848 Apr 23 16:41 > selinux-policy-targeted-3.7.19-235.el6.noarch.rpm > > I have run 'createrepo --database --update /root/RPMS/repo' > > What do I not understand respecting performing this update? > > I only noted this issue following implementation of an spf policy daemon with > Postfix. However, that change was the reason I was looking at the log files > to begin with so the situation may have been present for a very long time > before that. > Did you download all of the file? BTW You can set up this directory as a REPO. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELInux and POSTFIX
Looks like this is allowed in rhel6.5 policy. You could try
selinux-policy-3.7.19-235.el6
on people.redhat.com/dwalsh/SELinux/RHEL6
On 04/23/2014 01:51 PM, James B. Byrne wrote:
> Installed Packages
> Name: postfix
> Arch: x86_64
> Epoch : 2
> Version : 2.6.6
> Release : 6.el6_5
> Size: 9.7 M
> Repo: installed
> >From repo : updates
>
> I am seeing several of these in our maillog file after a restart of the
> Postfix service:
>
> Apr 23 12:48:27 inet08 setroubleshoot: SELinux is preventing
> /usr/libexec/postfix/smtp from 'read, write' accesses on the file 546AA6099F.
> For complete SELinux messages. run sealert -l
> b95663bb-12ce-4f34-9537-dd88a41359e5
>
> sealert -l b95663bb-12ce-4f34-9537-dd88a41359e5
> SELinux is preventing /usr/libexec/postfix/smtp from 'read, write' accesses on
> the file 546AA6099F.
>
> * Plugin catchall (100. confidence) suggests ***
>
> If you believe that smtp should be allowed read write access on the 546AA6099F
> file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep smtp /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> grep 546AA6099F /var/log/audit/audit.log | audit2why
>
>
> type=AVC msg=audit(1398199187.646:29332): avc: denied { getattr } for
> pid=23387 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
> type=AVC msg=audit(1398199187.646:29333): avc: denied { read write } for
> pid=23387 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
> type=AVC msg=audit(1398199927.800:29411): avc: denied { getattr } for
> pid=24131 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
> type=AVC msg=audit(1398199927.805:29412): avc: denied { read write } for
> pid=24131 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
> type=AVC msg=audit(1398201500.778:29495): avc: denied { getattr } for
> pid=25406 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
> type=AVC msg=audit(1398201500.779:29496): avc: denied { read write } for
> pid=25406 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
> type=AVC msg=audit(1398204425.415:29681): avc: denied { getattr } for
> pid=26964 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
> type=AVC msg=audit(1398204425.419:29682): avc: denied { read write } for
> pid=26964 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this ac
Re: [CentOS] [OT] how do I remove a battery
On 22/04/2014 21:08, Michael Hennebry wrote: > I've got an MSI K9N Platinum MS 7250 VER 1.1 > motherboard with a dead battery. > The battery mounts vertically: > http://www.cs.ndsu.nodak.edu/~hennebry/computer/battery.png > To me, the tab on the right would seem to need moving. > It does not want to move. > I am reluctant to apply any more force than I > already have without knowing how to apply it. > > How do I remove the battery? > Looks to me like there's a groove in front of the tab, with a runner in it. Does it pull in a direction away from the motherboard (i.e up, if it's vertically mounted) , hence sliding the battery out of the holder? D ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] backuppc problem
On 04/19/2014 05:03 PM, Derrik Walker v2.0 wrote: > On 04/19/2014 04:47 PM, Les Mikesell wrote: >> On Sat, Apr 19, 2014 at 10:40 AM, Derrik Walker v2.0 >> wrote: >>> I've installed backuppc from the EPEL repository. It does backups just >>> fine, BUT, when the backups are done, the status on the web page says >>> there are no backups for any of my systems I'm backing up. >>> >>> To be sure, they are taking up disk space, but it's just not reporting >>> it correctly to the admin web interface. >>> >>> I'm thinking I'm missing some package I need, but am not sure exactly what. >>> >>> Any ideas? >> The web interface doesn't have access to the backuppc archive >> directory. Probably either selinux or you don't have the >> perl-suidperl package installed. >> > I figured it out. > > Initially I was thinking that I was missing a package, but it turned out > to be selinux. I actually figured that out right after I sent the email > by doing an setenforce 0, and it started working. > > So I installed setroubleshoot and figured out the problem is that I > moved the backup data directory from /var/lib/BackupPC to it's own > filesystem mounted on /data/backup, and since I did that, I had too: > > setsebool -P httpd_read_user_content 1 > > Which solved my problem. I guess it was seeing the archive files as > 'user_content' for some reason. In anycase, it works now, and enforcing > is back on. > > Thanks. > > - Derrik > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos The better solution would have been to label the data the same as it would be in BackupPC. # semanage fcontext -a -e /var/lib/BackupPC /data/backup # restorcon -R -v /data/backup ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] trouble installing Math::BigInt module
Have you thought of doing this in a Linux container to avoid tainting the base install? On Tuesday, April 1, 2014 at 4:40 PM, Cliff Pratt wrote: > Another approach used by people who want to use CPAN a lot, is to download > and install Perl from source to say /usr/local, and point CPAN at that. > That way you get the benefits of the latest Perl and CPAN without it > fighting with yum/rpm. > > Your hashbang line in each Perl script that uses the alternate version of > Perl would have to reflect the location of the alternate version of Perl > and you would have to source any prerequisite Perl modules from CPAN, which > is another chamber of hell. > > But it does avoid issues like you are having. > > Cheers, > > Cliff > > > On Tue, Apr 1, 2014 at 9:04 PM, Bennett Haselton (mailto:benn...@peacefire.org)>wrote: > > > On 3/31/2014 10:42 PM, Tom Robinson wrote: > > > On 01/04/14 16:19, Bennett Haselton wrote: > > > > On 3/31/2014 7:56 PM, Tom Robinson wrote: > > > > > Can you verify to which packages thefiles belong? > > > > > > > > > > Try using RPM: > > > > > > > > > > rpm -qf /usr/lib/perl5/vendor_perl/5.8.8/Net/IP.pm > > > > On the old machine: > > > > perl-Net-IP-1.25-2.fc6 > > > > > and > > > > > > > > > > rpm -qf /usr/lib/perl5/vendor_perl/5.8.8/Crypt/DSA/KeyChain.pm > > > > On the new machine: > > > > perl-Crypt-DSA-1.16-1.el5.rf > > > > > > > > > > That should be a good starting point. Your check on installed packages > > > > > > > as preposed by John shows two > > > very different packaged environments. Did you ever use CPAN on the old > > > > or new machine? > > Yes, on both. I needed it because I needed to install Crypt::Twofish > > and it didn't seem to be available from the default repositories used by > > yum but it was available from CPAN. > > > > Because there were dozens of sources that I read, plus probably > > thousands of others that I didn't read, saying that installing from CPAN > > was a way to install Perl modules, I figured it was reasonably safe to > > follow those directions, so I went ahead and did it. > > > > Now, later I found out that you can get your machine into an > > inconsistent state by installing things from both CPAN and yum > > repositories, and moreover apparently you can't even properly uninstall > > things that are installed by CPAN: > > > > http://stackoverflow.com/questions/2626449/how-can-i-de-install-a-perl-module-installed-via-cpan > > so by following directions to the letter which are repeated in thousands > > of sources, I apparently put my machine in a state that will cause > > frequent unpredictable conflicts with all the things installed by the > > system package manager, and the damage is irreversible. > > > > Is that about right? :) > > > > At about the same time I learned not to use CPAN, the person helping me > > solve the current problem said that I could make the run-time errors go > > away by going into CPAN and install Math::BigInt -- which led to a new > > error, getting "Math::BigInt: couldn't load specified math lib(s), > > fallback to Math::BigInt::Calc at > > /usr/lib/perl5/vendor_perl/5.8.8/Crypt/DH.pm line 6", so then I > > installed Math::BigInt::Pari through CPAN and it fixed the problem. I > > had to use CPAN because it was the only solution he knew and it was an > > emergency to get that error fixed. > > > > So, going forward, to mitigate the damage, should I just take all the > > packages that are currently only listed as installed on the old machine, > > truncate the version number (so e.g. truncate > > "perl-Compress-Raw-Zlib-2.052-1.el5.rf" to just > > "perl-Compress-Raw-Zlib2") and install that with yum on the command > > line? (Thanks for that list, by the way.) > > > > And more generally, what is the best practice if I want to install a > > module like Crypt::Twofish that was not in the default yum repositories, > > if John and C.L. are saying to avoid CPAN, and both John and Tom are > > saying to avoid adding extra yum repositories? I'd like to use yum just > > for consistency since it automatically handles dependencies and such, > > and at least if I always use yum, then yum will always be "aware" of > > what's installed already (as opposed to things installed from CPAN). > > > > Bennett > > > > > I would work > > > to bring the new machine's perl environment as close to that of the old > > > > > > > machine's. > > > > > > Indeed, perl-Net-SFTP package is only installed on the new machine! > > > > > > Your package output is reformatted here. Work through this to bring your > > environments as close as > > > possible and check if you have used CPAN to install packages in the past. > > > > > > $ diff -yW80 /tmp/oldlist /tmp/newlist > > > perl-5.8.8-41.el5 perl-5.8.8-41.el5 > > > perl-Compress-Raw-Bzip2-2.052-1.el5.r | perl-Class-Loader-2.03-1.2.el5.rf > > > perl-Compress-Raw-Zlib-2.052-1.el5.rf | perl-Compress-Zlib-1.42-1.fc6 > > > perl-Convert-ASN1-0.22-1.el5.rf | > > > > > > > perl-Convert-ASCII-
Re: [CentOS] Centos and Selinux issue
Do you actually want the data to be available to both domains at the same time? Or could you setup different directories? If you want them to be both available you could label it postgresql_db_t, and then turn on the samba_export_all_ro_boolean or samba_export_all_rw_boolean. If this was to loose you could run in permissive mode and gather the AVC's and then use audit2allow to build a custom policy module for your access. On 03/31/2014 10:18 AM, Alessandro Baggi wrote: > Hi list, > I'm new to Centos and I've a very small knowledge of selinux use. > > I can disable it, but I prefer take it on for study. > > I've a second mirrored device that I use for file sharing. > This is the scenario: > > /dev/md2 mounted on /mnt/data > > To make samba working I must set the file context to the path at > samba_share_t on /mnt/data. After this samba works. > > Now I'm setting up postgresql on the same machine, and for first disk > size I must use /dev/md2. > > After configuring postgresql script to init the db, and setting up the > alternative data path pointing to /mnt/data/pgsql/data, initdb or start > postgresql fail. This issue is selinux related. > > Now, directory /mnt/data/pgsql/data, has fcontext to samba_share_t and > postgresql init script give permission denied on > /mnt/data/pgsql/data/postgresql.conf. > > At this point I've tried to set with chcon /mnt/data at postgresql_db_t, > rerun initdb and /etc/init.d/postgresql start and all works fine, except > for samba. I can't access anymore the share (for context change). > > I've tried to set: > > /mnt/data to samba_share_t > /mnt/data/pgsql to postgresql_db_t > > but with this config is pgsql that does not work. > > At this point, is possible set to /mnt/data a multiple context to make > samba and postgresql to get working on the same path, or I must use > "public." > > It's a better choice mount /dev/md2 on /mnt/data, make to dirs, one for > pgsql and another for sambashare, set relative context and start services? > > > Thanks in advance. > > Alessandro. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsyslog not loading relp
On 03/28/2014 03:19 PM, Mauricio Tavares wrote:
> On Mon, Nov 4, 2013 at 5:08 PM, Mauricio Tavares wrote:
>> On Mon, Nov 4, 2013 at 9:59 AM, Stephen Harris wrote:
>>> On Mon, Nov 04, 2013 at 09:49:37AM -0500, Mauricio Tavares wrote:
I really have nobody else but rsyslog.conf here:
[root@scan log]# ls -ld /etc/rsyslog.*
>>> Don't use the "d" flag to "ls"; that'll stop it looking inside
>>> directories.
>>>
>> Sorry; I meant ls -lh
>>
>>> The debug output showed it reading a file from
>>>/etc/rsyslog.d/remote-hosts.conf
>>>
>>> 1968.099981778:7f2b4eda1700: cfline: '$IncludeConfig /etc/rsyslog.d/*.conf'
>>> 1968.100012146:7f2b4eda1700: requested to include config file
>>> '/etc/rsyslog.d/remote-hosts.conf'
>>>
>> You are right. To add insult to injury I created that file (to
>> grab the log files from a few other machines. Still need to make it
>> nicer, but good enough to test):
>>
>> [root@scan log]# cat /etc/rsyslog.d/remote-hosts.conf
>> # Log remote messages by date & hostname
>> $template
>> DailyPerHostLogs,"/var/log/syslog/%HOSTNAME%/messages_%$YEAR%-%$MONTH%-%$DAY%.log"
>> *.info;mail.none;authpriv.none;cron.none-?DailyPerHostLogs
>> [root@scan log]#
>>
> Resurrecting this old thread of mine, I had time again to play
> with this. Still clueless but saw this in /var/log/audit/audit.log:
>
> 9069 comm="rsyslogd" src=20514
> scontext=unconfined_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1396031288.687:157483): arch=c03e
> syscall=49 success=no exit=-13 a0=5 a1=7febd9a35df0 a2=10
> a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706
> comm="rsyslogd" exe="/sbin/rsyslogd"
> subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
> type=AVC msg=audit(1396031288.687:157484): avc: denied { name_bind }
> for pid=9069 comm="rsyslogd" src=20514
> scontext=unconfined_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1396031288.687:157484): arch=c03e
> syscall=49 success=no exit=-13 a0=5 a1=7febd9a35d90 a2=1c
> a3=7fff9cfb57bc items=0 ppid=9068 pid=9069 auid=1000 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18706
> comm="rsyslogd" exe="/sbin/rsyslogd"
> subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
>
> What is this
>
> denied { name_bind } for pid=9069 comm="rsyslogd" src=20514
>
> is trying to tell me? I know that syslog is only currently allowed by
> selinux to use 514 and 6514,
>
> [root@scan ~]# semanage port -l| grep syslog
> syslogd_port_t tcp 6514
> syslogd_port_t udp 514, 6514
> [root@scan ~]#
>
> But I also thought that there would be a given port after which
> selinux did not care. Or something. or it would be rally hard to start
> sessions as a lame user connecting to other machines. ;)
>
> Out of desperation, I tried
>
> [root@scan ~]# semanage port -a -t syslogd_port_t -p tcp 20514
> Killed
> [root@scan ~]#
That was the correct thing to do. Not sure why it got killed?
>>> --
>>>
>>> rgds
>>> Stephen
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install from cdrom and Update repo
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/14/2014 05:24 PM, Eero Volotinen wrote: > Please provide complete kickstart, not just a snippet of it. 14.3.2014 > 22.47 kirjoitti "EljiUdia" : > >> Hi, >> >> I have make a kickstart file to automate the installation from cdrom and >> another repo. The kickstart snippet looks like >> >> install graphical cdrom repo --name="Updates" --baseurl=" >> http://mirror.centos.org/centos/6.5/updates/x86_64/"; --cost=98 selinux >> --enforcing >> >> After installation, system boots but kernel crash with the message >> >> Kernel Panic - not syncing: Attempted to kill init! Pid: 1 comm: init Not >> tainted 2.6.32-358.6.2.e16.x86_64 #1 Call Trace: [] ? panic+0xs7/0x16f [] >> ? do_exit+0x862/0x870 [] ? fput+0x25/0x30 [] ? do_group_exit+0x58/0xd0 [] >> ? sys_exit_group+0x17/0x20 [] ? system_call_fastpath+0x16/0x1b >> >> I found a solution on the web, but nobody tell why it happens. If >> selinux is disabled, it works. The append of this lines in kickstart has >> no positive effects. >> >> %post --log=/root/postinstall.log /sbin/restorecon -R -v / %end >> >> Some ideas? ___ CentOS >> mailing list CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > ___ CentOS mailing list > CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos > Boot the machine in permissive mode enforcing=0 on the kernel command line, THen see what AVC's you are getting. ausearch -m avc -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMkJsMACgkQrlYvE4MpobOA0wCdHlOI7He9fMbpfc2AbEXpTlQJ vvYAn3ekfifF181Vt7F4T6R+Gc7jz1HQ =Zkpr -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using trac on centos?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/12/2014 04:52 PM, m.r...@5-cent.us wrote: > Peter Brady wrote: >> On 13/03/14 5:02 AM, m.r...@5-cent.us wrote: >>> (Besides Paul, who's busy?) >>> >>> I just need one question answered: I keep reading the docs, and given >>> the old traditional /var/www I get that part of trac should be >>> installed in /var/www/trac/ (I think); what I can't figure out >>> is whether there is *anything* under the document root, that is, >>> /var/www/html/trac/. >>> >>> Anyone have a clue? Do I even need it as a placeholder, or does >>> anything actually go in there? >> >> Hi Mark, >> >> I've got a couple of centos 6 VMs running trac and subversion. One is a >> standalone single project and the other runs a multi-site install. trac >> was installed from EPEL. >> >> For the single site install I've got a few things in /var/www/html: >> >> [root@develop www]# ls html/ > Thanks, Peter. Between you and Paul, and, of course, much googling, > I've got it working. I was completely thrown off by, basically, *NOTHING* > being under the DocumentRoot. Oh, and them having htdocs *under* their > non-doc-root stuff. > > Installing the agilo-plugin was easy (well, I'll know when my user gets > going). Now shutting up selinux And no, what I found was *wrong*, it > was telling you to use chcon, which does *not* last across reboots. > semanage (bleah!) > > mark > > ___ CentOS mailing list > CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos > Mark what changes did you have to make for SELinux? -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMhuEYACgkQrlYvE4MpobP1MACgmSnTdDOSgUCz5O0qoiDFzclt EWEAoKmviTz+fU5Ajlnclt+Gev+L2yX7 =r798 -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
