Re: [CentOS] CentOS 7, selinux issue

[Daniel J Walsh]

Can you attach one of the AVC's. Mos likely ssh-x509-auth needs to be 
labeled sshd_key_t

or ssh_home_t

On 04/06/2016 02:54 PM, m.r...@5-cent.us wrote:

I'm seeing a lot of noise in the logs, to the effect of:
setroubleshoot: SELinux is preventing /bin/ksh93 from write access on the
directory /var/lib/ssh-x509-auth

as well as others related to find, cat, etc on .pem's in that directory.
Is this a policy bug, or just no policy covering this?

mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 SELinux issue

[Steve Snyder]

On 02/25/2016 07:23 AM, Brandon Vincent wrote:

On Thu, Feb 25, 2016 at 12:34 AM, Frank Cox  wrote:

Turns out you get the "Could not downgrade policy file 
/etc/selinux/targeted/policy/policy.24" error if you're running with SELinux 
disabled and something tries to install or reload policy: semodule -vR does it.


This is why if anyone is opposed to running SELinux it should be left
in permissive mode.


Even in permissive mode you still incur the system overhead cost (7% 
performance hit, last I read) and the excessive logging.


And don't even get me started about having /tmp mounted on a tmpfs 
filesystem! :-)


There are good reasons to prefer disabled over permissive if you've sure 
you won't need to re-enable SELinux later.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 SELinux issue

[Brandon Vincent]

On Thu, Feb 25, 2016 at 12:34 AM, Frank Cox  wrote:
> Turns out you get the "Could not downgrade policy file 
> /etc/selinux/targeted/policy/policy.24" error if you're running with SELinux 
> disabled and something tries to install or reload policy: semodule -vR does 
> it.

This is why if anyone is opposed to running SELinux it should be left
in permissive mode.

Brandon Vincent
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 SELinux issue

[Alice Wonder]

On 02/24/2016 11:34 PM, Frank Cox wrote:

On Wed, 24 Feb 2016 23:28:33 -0800
Alice Wonder wrote:


I don't ordinarily run SELinux and do not have it enabled.


https://lists.fedoraproject.org/pipermail/selinux/2012-May/014626.html

QUOTE:
Turns out you get the "Could not downgrade policy file 
/etc/selinux/targeted/policy/policy.24" error if you're running with SELinux 
disabled and something tries to install or reload policy: semodule -vR does it.
END OF QUOTE



Ah thanks.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 SELinux issue

[Frank Cox]

On Wed, 24 Feb 2016 23:28:33 -0800
Alice Wonder wrote:

> I don't ordinarily run SELinux and do not have it enabled.

https://lists.fedoraproject.org/pipermail/selinux/2012-May/014626.html

QUOTE:
Turns out you get the "Could not downgrade policy file 
/etc/selinux/targeted/policy/policy.24" error if you're running with SELinux 
disabled and something tries to install or reload policy: semodule -vR does it. 
 
END OF QUOTE

-- 
MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos