The following rule were created by audit2allow to enable my server to operate denial messages. If some kind sole would glance over them to see if they raise any red flags, I would appreciate it.
allow fetchmail_t user_home_t:file { getattr ioctl read }; allow httpd_sys_script_t user_home_t:dir { getattr read remove_name rmdir search write }; allow httpd_sys_script_t user_home_t:file { append execute execute_no_trans getattr ioctl read unlink }; allow httpd_t snmpd_var_lib_t:file { getattr read }; allow httpd_t system_dbusd_var_run_t:dir { getattr read }; allow innd_t file_t:file { getattr ioctl read write }; allow innd_t home_root_t:dir search; allow innd_t tmp_t:dir search; allow innd_t user_home_t:file { getattr read }; allow procmail_t inaddr_any_node_t:tcp_socket node_bind; allow procmail_t innd_etc_t:dir search; allow procmail_t innd_etc_t:file read; allow procmail_t innd_exec_t:file { execute execute_no_trans read }; allow procmail_t innd_port_t:tcp_socket name_connect; allow procmail_t ls_exec_t:file { execute execute_no_trans getattr read }; allow procmail_t procmail_exec_t:file execute_no_trans; allow procmail_t pyzor_exec_t:file { execute execute_no_trans getattr ioctl read }; allow procmail_t razor_port_t:tcp_socket name_connect; allow procmail_t smtp_port_t:tcp_socket name_connect; allow procmail_t tmp_t:dir { add_name create read remove_name rmdir search write }; allow procmail_t tmp_t:file { create getattr ioctl read unlink write }; allow procmail_t user_home_t:file { execute execute_no_trans }; allow spamd_t pyzor_exec_t:file { execute execute_no_trans getattr ioctl read }; allow spamd_t user_home_dir_t:dir read; allow spamd_t user_home_dir_t:file { append getattr ioctl read }; allow xfs_t default_t:dir search; allow xfs_t default_t:file { getattr read };
-- Chuck
Charles A. Crayne wrote:
The following rule were created by audit2allow to enable my server to operate denial messages. If some kind sole would glance over them to see if they raise any red flags, I would appreciate it.
allow fetchmail_t user_home_t:file { getattr ioctl read }; allow httpd_sys_script_t user_home_t:dir { getattr read remove_name rmdir search write }; allow httpd_sys_script_t user_home_t:file { append execute execute_no_trans getattr ioctl read unlink };
This looks like you have a labeling problem on a directory and perhaps you do not have the correct boolean set for httpd? getsebool httpd_enable_homedirs Should be set to 1 if you want apache to be able to read homedirs. setsebool -P httpd_enable_homedirs=1
allow httpd_t snmpd_var_lib_t:file { getattr read }; allow httpd_t system_dbusd_var_run_t:dir { getattr read }; allow innd_t file_t:file { getattr ioctl read write };
This looks like a labeling problem. file_t should never be present on a system. I would recommend relabeling
touch /.autorelabel; reboot
allow innd_t home_root_t:dir search; allow innd_t tmp_t:dir search; allow innd_t user_home_t:file { getattr read }; allow procmail_t inaddr_any_node_t:tcp_socket node_bind; allow procmail_t innd_etc_t:dir search; allow procmail_t innd_etc_t:file read; allow procmail_t innd_exec_t:file { execute execute_no_trans read }; allow procmail_t innd_port_t:tcp_socket name_connect; allow procmail_t ls_exec_t:file { execute execute_no_trans getattr read }; allow procmail_t procmail_exec_t:file execute_no_trans; allow procmail_t pyzor_exec_t:file { execute execute_no_trans getattr ioctl read }; allow procmail_t razor_port_t:tcp_socket name_connect; allow procmail_t smtp_port_t:tcp_socket name_connect; allow procmail_t tmp_t:dir { add_name create read remove_name rmdir search write }; allow procmail_t tmp_t:file { create getattr ioctl read unlink write }; allow procmail_t user_home_t:file { execute execute_no_trans }; allow spamd_t pyzor_exec_t:file { execute execute_no_trans getattr ioctl read }; allow spamd_t user_home_dir_t:dir read; allow spamd_t user_home_dir_t:file { append getattr ioctl read };
Do you have the spamd_enable_home_dirs boolean set? setsebool -P spamd_enable_home_dirs=1
allow xfs_t default_t:dir search; allow xfs_t default_t:file { getattr read };
-- Chuck
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I am using FC5 based devlopment enviroment for creating livecd. In live cd presently I am using selinux in permissive mode with targeted policy. But when I enabled selinux enforcing mode all the icons are disabled of taskbar with menus icon. I am unable to login as root from this machine or other machine by ssh.
Provide document link for selinux used in FC5
Pranav Vishnoi wrote:
I am using FC5 based devlopment enviroment for creating livecd. In live cd presently I am using selinux in permissive mode with targeted policy. But when I enabled selinux enforcing mode all the icons are disabled of taskbar with menus icon. I am unable to login as root from this machine or other machine by ssh.
Provide document link for selinux used in FC5
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Sounds like you have a labeling problem.
touch /.autorelabel reboot
Thanks Daniel,
I ahve some more queries relates with SELINUX, I am new user in selinux concepts, I am already downlaod all the documents related with selinux from redhat site. But I never found perfact solution for it. Can u tell me where i get training for selinux in India.
I gives support LiveCd enviroment developed on Fedora Cores. Upto FC4 selinux I am using .te files and customized own local.te for LIVECD. But at the time of FC5 i disabled the selinux and create the development for it. After create development I unabled selinux in permissive mode to run successful all the components used in LIVECD (Remo). Please provide me more documents on selinux used in FC5 & RHEL4
----- Original Message ----- From: "Daniel J Walsh" dwalsh@redhat.com To: "Pranav Vishnoi" pvishnoi@networkprograms.com Cc: fedora-selinux-list@redhat.com Sent: Friday, August 25, 2006 10:32 PM Subject: Re: Icons Disapperd
Pranav Vishnoi wrote:
I am using FC5 based devlopment enviroment for creating livecd. In live cd presently I am using selinux in permissive mode with targeted policy. But when I enabled selinux enforcing mode all the icons are
disabled
of taskbar with menus icon. I am unable to login as root from this machine or other machine by ssh.
Provide document link for selinux used in FC5
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Sounds like you have a labeling problem.
touch /.autorelabel reboot
Pranav Vishnoi wrote:
Thanks Daniel,
I ahve some more queries relates with SELINUX, I am new user in selinux concepts, I am already downlaod all the documents related with selinux from redhat site. But I never found perfact solution for it. Can u tell me where i get training for selinux in India.
https://www.redhat.com/training/security/courses/. Check your nearest office.
I gives support LiveCd enviroment developed on Fedora Cores. Upto FC4 selinux I am using .te files and customized own local.te for LIVECD. But at the time of FC5 i disabled the selinux and create the development for it. After create development I unabled selinux in permissive mode to run successful all the components used in LIVECD (Remo). Please provide me more documents on selinux used in FC5 & RHEL4
http://fedoraproject.org/wiki/SELinux http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
Rahul
Thanks Rahul For giving me a certification details. But my problem is remain. I have some questions. 1.After setenforce 1 Iam unable to login root, Where I do changes to give access permision to root. It gives message wrong password. but when I do setenforce 0 there is no problem to login as root. 2. In live cd there is no procedure for auto relabel / structure. any short command for relabel / . 3. Can I replace policy.20 with policy.18 or used fc3 policy?
----- Original Message ----- From: "Rahul" sundaram@fedoraproject.org To: "Pranav Vishnoi" pvishnoi@networkprograms.com Cc: "Daniel J Walsh" dwalsh@redhat.com; fedora-selinux-list@redhat.com Sent: Saturday, August 26, 2006 12:28 AM Subject: Re: Icons Disapperd
Pranav Vishnoi wrote:
Thanks Daniel,
I ahve some more queries relates with SELINUX, I am new user in selinux concepts, I am already downlaod all the
documents
related with selinux from redhat site. But I never found perfact solution for it. Can u tell me where i get training for selinux in India.
https://www.redhat.com/training/security/courses/. Check your nearest office.
I gives support LiveCd enviroment developed on Fedora Cores. Upto FC4 selinux I am using .te files and customized own local.te for LIVECD. But at the time of FC5 i disabled the selinux and create the development
for
it. After create development I unabled selinux in permissive mode to run successful all the components used in LIVECD (Remo). Please provide me more documents on selinux used in FC5 & RHEL4
http://fedoraproject.org/wiki/SELinux http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
Rahul
Pranav Vishnoi wrote:
Thanks Rahul For giving me a certification details. But my problem is remain. I have some questions. 1.After setenforce 1 Iam unable to login root, Where I do changes to give access permision to root. It gives message wrong password. but when I do setenforce 0 there is no problem to login as root.
Then you need to look at AVC denied messages in /var/log/messages or /var/log/audit (if audit service is enabled) and post the messages to this list if you are unable to figure out and resolve it.
- In live cd there is no procedure for auto relabel / structure. any short
command for relabel / .
relabel /. seems a rather short command to me.
- Can I replace policy.20 with policy.18 or used fc3 policy?
Usually a bad idea as newer policies tend to be better.
Rahul
I again relabel / by resoter cone command. but after create local.te run make -f Makefile, it makes local.pp file. using semodule -i local.pp, it gives a error message. libsepol.permission_copy_callback: Module local depends on permission getattr in class system, not satisfied libsemanage.semanage_link_sandbox: link package failed I have class system {getattr............} Provide me solution
Pranav Vishnoi ----- Original Message ----- From: "Pranav Vishnoi" pvishnoi@networkprograms.com To: "Rahul" sundaram@fedoraproject.org Cc: "Daniel J Walsh" dwalsh@redhat.com; fedora-selinux-list@redhat.com Sent: Saturday, August 26, 2006 1:09 AM Subject: Re: Icons Disapperd
Thanks Rahul For giving me a certification details. But my problem is remain. I have some questions. 1.After setenforce 1 Iam unable to login root, Where I do changes to give access permision to root. It gives message wrong password. but when I do setenforce 0 there is no problem to login as root. 2. In live cd there is no procedure for auto relabel / structure. any
short
command for relabel / . 3. Can I replace policy.20 with policy.18 or used fc3 policy?
----- Original Message ----- From: "Rahul" sundaram@fedoraproject.org To: "Pranav Vishnoi" pvishnoi@networkprograms.com Cc: "Daniel J Walsh" dwalsh@redhat.com; fedora-selinux-list@redhat.com Sent: Saturday, August 26, 2006 12:28 AM Subject: Re: Icons Disapperd
Pranav Vishnoi wrote:
Thanks Daniel,
I ahve some more queries relates with SELINUX, I am new user in selinux concepts, I am already downlaod all the
documents
related with selinux from redhat site. But I never found perfact solution for it. Can u tell me where i get training for selinux in India.
https://www.redhat.com/training/security/courses/. Check your nearest office.
I gives support LiveCd enviroment developed on Fedora Cores. Upto FC4 selinux I am using .te files and customized own local.te for LIVECD. But at the time of FC5 i disabled the selinux and create the
development
for
it. After create development I unabled selinux in permissive mode to run successful all the components used in LIVECD (Remo). Please provide me more documents on selinux used in FC5 & RHEL4
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
Rahul
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Pranav Vishnoi wrote:
I again relabel / by resoter cone command. but after create local.te run make -f Makefile, it makes local.pp file. using semodule -i local.pp, it gives a error message. libsepol.permission_copy_callback: Module local depends on permission getattr in class system, not satisfied libsemanage.semanage_link_sandbox: link package failed I have class system {getattr............} Provide me solution
Pranav Vishnoi ----- Original Message ----- From: "Pranav Vishnoi" pvishnoi@networkprograms.com To: "Rahul" sundaram@fedoraproject.org Cc: "Daniel J Walsh" dwalsh@redhat.com; fedora-selinux-list@redhat.com Sent: Saturday, August 26, 2006 1:09 AM Subject: Re: Icons Disapperd
Thanks Rahul For giving me a certification details. But my problem is remain. I have some questions. 1.After setenforce 1 Iam unable to login root, Where I do changes to give access permision to root. It gives message wrong password. but when I do setenforce 0 there is no problem to login as root. 2. In live cd there is no procedure for auto relabel / structure. any
short
command for relabel / . 3. Can I replace policy.20 with policy.18 or used fc3 policy?
----- Original Message ----- From: "Rahul" sundaram@fedoraproject.org To: "Pranav Vishnoi" pvishnoi@networkprograms.com Cc: "Daniel J Walsh" dwalsh@redhat.com; fedora-selinux-list@redhat.com Sent: Saturday, August 26, 2006 12:28 AM Subject: Re: Icons Disapperd
Pranav Vishnoi wrote:
Thanks Daniel,
I ahve some more queries relates with SELINUX, I am new user in selinux concepts, I am already downlaod all the
documents
related with selinux from redhat site. But I never found perfact solution for it. Can u tell me where i get training for selinux in India.
https://www.redhat.com/training/security/courses/. Check your nearest office.
I gives support LiveCd enviroment developed on Fedora Cores. Upto FC4 selinux I am using .te files and customized own local.te for LIVECD. But at the time of FC5 i disabled the selinux and create the
development
for
it. After create development I unabled selinux in permissive mode to run successful all the components used in LIVECD (Remo). Please provide me more documents on selinux used in FC5 & RHEL4
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
Rahul
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You seem to have a badly mislabed machine.
You probably need to log in to the machine in permissive mode and execute the following.
touch /.autorelabel reboot
Hi Rahul I have relabeled / by using fixfiles command & create new module using audit2allow command. But after done these things I have some problem related "ssh" & terminal icon placed in task bar. After do setenforce 1 1. My terminal is close automatically & I am unable to login after logout as root. 2. I have unable to connect that machine by the other machine using ssh. 3. Some errors related with G confd also presents icon place on taskbar.
Please provide me a solution or any documentation.
Regds Pranav Vishnoi
On Wed, 23 Aug 2006 14:29:31 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
:This looks like you have a labeling problem on a directory and perhaps :you do not have the correct boolean set for httpd?
Thank you for taking the time to try to help me, but alas, in the end, it all came to nothing. Both of the booleans you cited were already set, and relabeling did not fix the problems.
-- Chuck
Charles A. Crayne wrote:
On Wed, 23 Aug 2006 14:29:31 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
:This looks like you have a labeling problem on a directory and perhaps :you do not have the correct boolean set for httpd?
Thank you for taking the time to try to help me, but alas, in the end, it all came to nothing. Both of the booleans you cited were already set, and relabeling did not fix the problems.
-- Chuck
Could you attach your current avc messages?
selinux@lists.fedoraproject.org