selinux May 2009

selinux@lists.fedoraproject.org

24 participants
36 discussions

How to install SELinux original policy as original RPM
by Shintaro Fujiwara 06 May '09

06 May '09

Hello, I don't know how to install SELinux original policy as original RPM. I edited my spec file but semodule didn't work in BUILDROOT. Thanks in advance. -- http://intrajp.no-ip.com/ Home Page

3 4

How can I set certain domain don't audit for certain time ?
by Shintaro Fujiwara 06 May '09

06 May '09

Hi, I try to ps from certain domain and when I do that a lot of denied messages occurs. I set this domain permissive but I want to silent it alltogether. One thing in my mind is to domain_trans to domain same as ps, but my question is to don't audit for certain time like semanage permissive. After ps, I want to audit everything as hoped. Thanks in advance. -- http://intrajp.no-ip.com/ Home Page

2 2

selinux problem I solved months ago
by John Oliver 06 May '09

06 May '09

I had this problem weeks and weeks ago: [root@mda-vm1h ~]# service httpd configtest httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load /etc/httpd/modules/vcapache.so into server: /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc: Permission denied I solved it by creating an selinux module and "baking" it into my kickstart. Built many machines, all worked perfectly. Now, I have three virtual machines I installed with the same kickstart, and I'm getting the same problem. [root@mda-vm1h ~]# ls -lZ /etc/httpd/modules/vcapache.so -rwxr-xr-x root root system_u:object_r:httpd_modules_t /etc/httpd/modules/vcapache.so type=AVC msg=audit(1241564879.792:4671): avc: denied { execheap } for pid=28957 comm="httpd" scontext=user_u:system_r:initrc_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=process type=SYSCALL msg=audit(1241564879.792:4671): arch=40000003 syscall=125 success=no exit=-13 a0=ffa000 a1=1b8000 a2=5 a3=bf8b7eb0 items=0 ppid=28953 pid=28957 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:initrc_t:s0 key=(null) [root@mda-vm1h ~]# semodule -l amavis 1.1.0 ccs 1.0.0 clamav 1.1.0 dcc 1.1.0 evolution 1.1.0 iscsid 1.0.0 mozilla 1.1.0 mplayer 1.1.0 nagios 1.1.0 oddjob 1.0.1 pcscd 1.0.0 pyzor 1.1.0 razor 1.1.0 ricci 1.0.0 smartmon 1.1.0 valicert 1.0 There it is, at the end. I removed and reinstalled it with no effect. It's data, so I can't cat it out, but that module worked... unless this is some new, different problem. Is there more magic sauce that has to be added? -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * ***********************************************************************

2 1

scp only using SELinux
by Vadym Chepkov 04 May '09

04 May '09

Hi, I wonder if it is possible to achieve "scp only" capability for a user just by using SELinux? Basically I want a user to be able to only upload/download files from his home via scp/sftp and nothing else. Thank you. Sincerely yours, Vadym Chepkov

2 1

Boolean or rule for preventing user_u for su or sudo
by adrian golding 04 May '09

04 May '09

hi, i created a useruuser account which has SELinux User of "user_u". and when i log in using that account, i cannot use 'su' or 'sudo'. in particular, when i try to use 'sudo', there will be a permission denied message. may i know where is the boolean or rule that specified this restriction? thank you -- View this message in context: http://www.nabble.com/Boolean-or-rule-for-preventing-user_u-for-su-or-sudo-… Sent from the Fedora SELinux List mailing list archive at Nabble.com.

2 1

Test message #33
by Tom London 03 May '09

03 May '09

33 33 33 -- Tom London

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux May 2009