Re: [CentOS] selinux question

2018-08-23 Thread Nataraj
On 08/21/2018 05:45 PM, Warren Young wrote: > >> I could be convinced otherwise if I could see where running the php as the >> app users, would make more sense. > That depends on whether the boundary between user php and this unknown > “appuser” is bidirectional or not. > > If there are things ow

Re: [CentOS] selinux question

2018-08-21 Thread Warren Young
On Aug 21, 2018, at 4:34 PM, Nataraj wrote: > > On 08/21/2018 02:20 PM, Warren Young wrote: >> On Aug 21, 2018, at 1:27 PM, Nataraj wrote: >>> I have a web application which uses sudo to invoke python scripts as the >>> user under which the application runs (NO root access). >> Why is the web ap

Re: [CentOS] selinux question

2018-08-21 Thread Nataraj
On 08/21/2018 02:20 PM, Warren Young wrote: > On Aug 21, 2018, at 1:27 PM, Nataraj wrote: >> I have a web application which uses sudo to invoke python scripts as the >> user under which the application runs (NO root access). > Why is the web app not running with that user’s permissions in the firs

Re: [CentOS] selinux question

2018-08-21 Thread Warren Young
On Aug 21, 2018, at 1:27 PM, Nataraj wrote: > > I have a web application which uses sudo to invoke python scripts as the > user under which the application runs (NO root access). Why is the web app not running with that user’s permissions in the first place? If your answer is that it needs root

Re: [CentOS] selinux question

2018-08-21 Thread Nataraj
On 08/21/2018 12:41 PM, Jonathan Billings wrote: > On Tue, Aug 21, 2018 at 12:27:53PM -0700, Nataraj wrote: >> Source RPM Packages sudo-1.7.2p1-29.el5_10 >> Policy RPMselinux-policy-2.4.6-351.el5 >> Platform Linux myhost.mydomain.com 2.6.18-419.el5

Re: [CentOS] selinux question

2018-08-21 Thread Jonathan Billings
On Tue, Aug 21, 2018 at 12:27:53PM -0700, Nataraj wrote: > Source RPM Packages sudo-1.7.2p1-29.el5_10 > Policy RPMselinux-policy-2.4.6-351.el5 > Platform Linux myhost.mydomain.com 2.6.18-419.el5 #1 SMP > Fri Feb 24 22:06:09 UTC 2017 i686 i686 Cen

Re: [CentOS] selinux question

2018-08-21 Thread Daniel Walsh
On 08/21/2018 12:27 PM, Nataraj wrote: I have a web application which uses sudo to invoke python scripts as the user under which the application runs (NO root access).  Is there any reason why sudo would would require sys_ptrace access for this?  I only get this violation intermittenly, and not w

[CentOS] selinux question

2018-08-21 Thread Nataraj
I have a web application which uses sudo to invoke python scripts as the user under which the application runs (NO root access).  Is there any reason why sudo would would require sys_ptrace access for this?  I only get this violation intermittenly, and not with every call to sudo.  Here's the viola

Re: [CentOS] SELinux Question

2013-07-23 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/23/2013 07:15 AM, Ken Smith wrote: > > James Hogarth wrote: >> On 23 Jul 2013 07:42, "Ken Smith" wrote: >> >>> For some reason auditd wasn't running or enabled. I'm now seeing the >>> messages I needed in /var/log/messages. I'm running

Re: [CentOS] SELinux Question

2013-07-23 Thread Ken Smith
James Hogarth wrote: > On 23 Jul 2013 07:42, "Ken Smith" wrote: > >>> >> For some reason auditd wasn't running or enabled. I'm now seeing the >> messages I needed in /var/log/messages. I'm running bind chrooted and >> various other tweeks mean I need to set SELinux accordingly. >> >>

Re: [CentOS] SELinux Question

2013-07-23 Thread James Hogarth
On 23 Jul 2013 07:42, "Ken Smith" wrote: > > > For some reason auditd wasn't running or enabled. I'm now seeing the > messages I needed in /var/log/messages. I'm running bind chrooted and > various other tweeks mean I need to set SELinux accordingly. > Bind chroot via the standard chroot package

Re: [CentOS] SELinux Question

2013-07-22 Thread Ken Smith
Gordon Messmer wrote: > On 07/22/2013 07:41 AM, Ken Smith wrote: > >> Hi Guys, My google foo is failing me this afternoon. Just configuring a >> new C6 install. I know there are SELinux alerts happening, eg: I know I >> need to enable named to write to the local .jnl file as part of dynamic >

Re: [CentOS] SELinux Question

2013-07-22 Thread Gordon Messmer
On 07/22/2013 07:41 AM, Ken Smith wrote: > Hi Guys, My google foo is failing me this afternoon. Just configuring a > new C6 install. I know there are SELinux alerts happening, eg: I know I > need to enable named to write to the local .jnl file as part of dynamic > DNS, but sealert -b is not listing

Re: [CentOS] SELinux Question

2013-07-22 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/22/2013 10:55 AM, Paul Norton wrote: > Hello Ken Try this " site:danwalsh.livejournal.com" in your > searches. Also this is a good book > http://www.amazon.com/SELinux-Example-Using-Security-Enhanced/dp/0131963694/ref=sr_1_2?ie=UTF8&qid=1374504

[CentOS] SELinux Question

2013-07-22 Thread Ken Smith
Hi Guys, My google foo is failing me this afternoon. Just configuring a new C6 install. I know there are SELinux alerts happening, eg: I know I need to enable named to write to the local .jnl file as part of dynamic DNS, but sealert -b is not listing any alerts. I can see raw audit messages. I

Re: [CentOS] SELinux Question

2013-07-22 Thread Paul Norton
Hello Ken Try this " site:danwalsh.livejournal.com" in your searches. Also this is a good book http://www.amazon.com/SELinux-Example-Using-Security-Enhanced/dp/0131963694/ref=sr_1_2?ie=UTF8&qid=1374504654&sr=8-2&keywords=selinux This is the best I can do as I don't understand. What message? Could

Subject: Re:[CentOS] SELinux question - to fix bug in Webmin

2007-09-01 Thread Lanny Marcus
On 30 August 2007, Kenneth Porter <[EMAIL PROTECTED]> wrote: > (I'm curious to know what the solution is, though, so please follow up > back here with anything you find!) Below is the latest message from Jamie Cameron: > Ok, it sounds like this will be more complex that I thought if they > need

Re: [CentOS] SELinux question - to fix bug in Webmin

2007-08-31 Thread Lanny Marcus
On 30 August 2007, Kenneth Porter <[EMAIL PROTECTED]> wrote: > You might also want to direct your question to the SELinux people on > their > lists: > > > > > (I'm curious to know what the s

Re: [CentOS] SELinux question - to fix bug in Webmin

2007-08-31 Thread Lanny Marcus
On 30 August 2007, Kenneth Porter <[EMAIL PROTECTED]> wrote: > Message: 75 > You might also want to direct your question to the SELinux people on > their lists: > > > > > (I'm curious to know

Re: [CentOS] SELinux question - to fix bug in Webmin

2007-08-30 Thread Kenneth Porter
On Thursday, August 30, 2007 4:50 PM -0500 Lanny Marcus <[EMAIL PROTECTED]> wrote: SELinux people: Can you explain what he needs? You might also want to direct your question to the SELinux people on their lists:

[CentOS] SELinux question - to fix bug in Webmin

2007-08-30 Thread Lanny Marcus
I found a bug in Webmin when using Webmin with SELinux in Permissive Mode. The author of Webmin, asked me, in their bug tracker on SourceForge: > Ok, thanks ... I see the problem. Webmin opens the log file > /var/webmin/miniserv.error and connects STDERR to it, then runs other > commands like ipta