Questions tagged [selinux]
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies.
132
questions
1
vote
0
answers
74
views
Selinux policy to allow all access to script or to not log anything done by this script
I have a bash script running every 5 minutes in cron, that basically runs some commands like: mkdir, top, grep, date, wait, sleep, jstack. It runs on user bob.
It generates a lot of logs and I want to ...
- 11
0
votes
0
answers
37
views
Creating a hybrid SELinux policy for a specific directory?
I have a machine "NFS-Server", a machine "Hybrid", and a machine "TFTP-Client" which I would like to connect in the following way:
NFS-Server allows Hybrid to mount to a ...
- 1
0
votes
0
answers
210
views
Enabling Selinux on debian-based system
I just want to know if there is a way to enable SElinux on a Debian-based system. I'm currently running parrot OS with what a think is Debian 10 and I'm having problem enabling Selinux on it. When I ...
2
votes
1
answer
937
views
Tomcat runs from the command line, but will not start as a systemd service
I have built an Apache Tomcat 9.0.83 server on Oracle Linux 9 which will not start as a systemd service, but it does work if you run it from the command line.
sudo su - tomcat /u01/tomcat/my_server/...
- 131
1
vote
0
answers
46
views
finer-grained role/type access (specifically auditd_log_t)
Suppose I want to use SELinux to lock down audit logs even more tightly than ordinary logs. Ordinary logs typically have type var_log_t, but audit logs have type auditd_log_t. So there's at least a ...
- 317
0
votes
0
answers
98
views
Almalinux9 SSH port change is not accepting connections
can someone please give a hint what else may be wrong.
System Almalinux9, located at VPS.
I wanted to change a port of SSHD to 60022, but when i try to connect to it, it does not respond anyhow when i'...
- 1
1
vote
1
answer
63
views
docker/podman issue when building in a golang:1.20 container
Anyone know why podman fails and docker works?
podman:
$ podman run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp golang:1.20 go build -v
go: go.mod file not found in current directory or ...
- 34.6k
1
vote
1
answer
4k
views
How do I disable "suspend to RAM", and enable "suspend to idle"?
I found some threads and articles with lots of info on this topic but I can't seem to make sense of it just yet. I'm running Fedora workstation with secure boot and full disk encryption on an Asus tuf ...
forestsounds89
1
vote
0
answers
112
views
Restarting Apache after installing RSA Web Agent
Good afternoon,
We are currently attempting to install the RSA Web agent on our Apache web server, but run into problems after installation, when restarting the web server.
The error we get is the ...
- 43
0
votes
2
answers
135
views
How do I configure/secure LAMP stack on Fedora 37 without permissive SELinux confguration?
I've installed all the LAMP components (Apache, MySQL, and PHP) on Fedora 37, but for now I haven't changed my SELinux configuration from enforcing to permissive because I don't know what problems ...
1
vote
1
answer
207
views
Ubuntu - ls -Z only shows question marks and file names
When I'm using ls -Z /etc I only get question marks and filenames. I don't get anything about the security context. Does anyone know anything about this?
0
votes
1
answer
839
views
Arch: unable to write to pipe (Broken pipe) when installing selinux-refpoicy-arch
I'm setting up selinux on my arch system, every library successfully built and the modules were installed, but attempting to apply the reference policies supplied by selinux-refpolicy-arch fails after ...
- 11
0
votes
1
answer
575
views
VirtualBox guest additions update got error missing SELinux target policy file
While updating VirtualBox guest additions on a Red Hat Linux 7 (RHEL7) virtual machine, we got the below error about missing a target policy file of SELinux.
We checked the virtual machine:
We tried ...
- 409
1
vote
1
answer
9k
views
Rsyslog forward logs cannot connect Permission Denied
Have configured Rsyslog to ship logs to a remote location through an SSH tunnel.
However rsyslog complains with "Permission denied":
rsyslogd[28412]: cannot connect to 127.0.0.1:10601: ...
- 171
1
vote
1
answer
493
views
Can environment variables be made immutable?
With the recent discovery of the Symbiote vulnerability, it is now apparent that we need a mitigation for LD_PRELOAD injection attacks and similar. One way we may be able to prevent this exploitation ...
- 1,017
1
vote
0
answers
314
views
Fedora Tor Failed to bind one of the listener ports
Tor Log:
Jun 03 15:12:53.463 [notice] Tor 0.4.7.7 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1n, Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.5.2 and Glibc 2.34 as libc.
Jun 03 15:12:53.463 [...
- 1
1
vote
0
answers
197
views
SELinux - add access rights for a new type
I am new to SELinux and I need to create a new type for a file and then specify access rights for a standard Linux user with its security context: user_u : user_r : user_t. I created new module (.te ...
- 11
0
votes
0
answers
355
views
Why does a shared samba directory show different file permissions?
The file permission in my samba server (local filesystem) are as follows:
-rw-r-----+ 1 sambaserver sambaserver 49 Jan 9 01:14 staticfile.md
However, when accessed remotely through a client, the ...
- 11
0
votes
0
answers
35
views
Frequent SE Linux alert after upgrading systemd from rpm rebuild
This is the scenario.
I am using CentOS 8 and I have updated the systemd to a higher version (rebuild rpm from fedora 33).
Now I get frequent SE Linux alert. I am pretty sure its not a systemd bug, ...
- 383
1
vote
1
answer
168
views
Can SELinux brick your server?
I have enabled SELinux on CentOS Stream (it was in disabled state before, do not know the exact history). I simply changed the following line in /etc/selinux/config (it was disabled before):
SELINUX=...
- 133
1
vote
0
answers
219
views
Use SELinux(?) to disable root access to iptables for procrastination
This might not be a problem for you but I suffer from poor impulse control and as a result constant procrastination while in front of a computer. I can't procrastinate much on my phone because I ...
- 11
0
votes
1
answer
233
views
Selinux: changing root mapping
I want to control some accesses of root in Linux- fedora, for example, I want to run a process and I want root not to be able to kill it.
I use SELinux and I changed root mapping from unconfined to ...
- 1
1
vote
1
answer
769
views
How to add a capability to SELinux custom role?
I created a role foo_r, and I would like that a user with this role, can open a reserved port (< 1024) with the CAP_NET_BIND_SERVICE capability.
For this I added a security context:
policy_module(...
- 11
0
votes
1
answer
1k
views
How to get "su" to work in init scripts in Red Hat 8 with SELinux?
In an init script I'm trying to run a command:
su - user -c "/home/user/bin/command”
but SELinux prevents this:
systemd[1]: Starting LSB: Start the my_script at boot...
su[5941]: pam_unix(su-l:...
- 101
0
votes
0
answers
350
views
How can I get my gnome lockscreen as default instead of the grey system one?
Suddenly my lockscreen changed from the gnome (blue one) lockscreen that detects the username and asks for password to the login screen that asks for both username and password. I am trying to get it ...
1
vote
0
answers
831
views
Unable to login after switching to "multi-user" target in Yocto Linux
I have a device running yocto(warrior) and selinux is enabled by default. I am unable to login to device if I switch to multi-user target. If I change selinux in permissive mode, I am able to login ...
- 131
0
votes
1
answer
484
views
CentOS 8 auditd AVC denials message flood caused by denied setuid
Today my CentOS 8 suddenly frozen and not responding to user inputs.
When I tried to login from console, I saw messages like these:
audit: backlog limit exceeded
audit: backlog limit exceeded
audit: ...
- 1
0
votes
1
answer
552
views
How can an SELinux filesystem be relabeled in an unpacked squashfs filesystem?
I am trying to configure selinux for a live boot Debian system.
SELinux is inoperable due to copious changes during build and system configuration and requires the entire filesystem to be relabeled. ...
- 79
0
votes
0
answers
72
views
Is it possible to limit the permissions of a user based on his or her actions?
I'm currently working on a research project, that includes the question, if it is possible to implement a Chinese-Wall based information flow control model based on SELinux. One of the core principles ...
0
votes
2
answers
150
views
Restricting Access to Files when Standard Linux Permissions Won't Suffice
I administer several RHEL 6.9 systems. On each system, a particular directory, call it /app_dir, is the top level of where our project's scripts, executables, configuration files, and logs are stored. ...
- 1,049
0
votes
1
answer
457
views
How do I run a War File in confined SELinux domain on CentOS7?
I am currently working on the deployment of my Java Web Application. This application is available to me as a WAR file. My goal is that the application starts with a limited SELinux startup. This ...
- 1
-1
votes
1
answer
295
views
What is the different between file with Selinux Context and without Selinux Context?
Good day,
Today I compare file permission of 2 environment. Found that 1 of it having the dot at the end of the permission, but another environment no have.
Environment 1 (with Selinux Context):
-...
- 291
1
vote
1
answer
2k
views
Mounting docker into container shows executable but errors with: /usr/bin/docker: No such file or directory
Enviornment details
$ docker --version
Docker version 19.03.4, build 9013bf583a
$ hostnamectl
Static hostname: ohpc.novalocal
Icon name: computer-vm
Chassis: vm
...
- 111
0
votes
3
answers
4k
views
Cannot execute systemd service running as a non privileged user on CentOS 8
There is (maybe) a change between CentOS 7 and 8 in regard of systemd and selinux I yet do not know how to deal with this.
For some reason (cross distribution compat) we are using postgresql 9.6 from ...
- 21
1
vote
1
answer
483
views
syslog-ng starts and runs fine manually... starts but doesnt create logs when using systemd
Redhat 7.6 with latest syslog-ng (3.22)
ive searched and tried all the old remedies. Nothing has worked to resolve this.
My syslog-ng.conf file has a bunch of ports and a bunch of destinations. When ...
- 23
0
votes
2
answers
214
views
SELinux blocking procmail from executing dspam but no AVC message
I have a CentOS 7 system in which I use postfix as the MTA. Certain users use procmail via .forward in their home directories:
# cat .forward
"|exec /usr/bin/procmail -f- || exit 75"
In this case, I ...
- 3
0
votes
1
answer
2k
views
Fedora 30 boot freeze - Failed to load SELinux policy
Updated Fedora 30 (workstation) via CLI
sudo dnf upgrade -y
everything ok, updates downloaded and installed.
SELinux configuration file is set as follows:
SELINUX = disabled
Then reboot. System ...
- 624
1
vote
1
answer
785
views
Generate selinux policy from audit2allow
I need to upload to aws from logrotate. When the logrotate is triggered the SELinux blocking it.
The error line is
type=AVC msg=audit(1562162502.670:101127): avc: denied {
name_connect } for ...
- 173
0
votes
1
answer
767
views
How to grant 'search' permission in SELinux
I am trying to get dspam working under SELinux (CentOS 7). I added the following without issue:
allow dspam_t dspam_rw_content_t:dir getattr;
allow dspam_t dspam_rw_content_t:file { append getattr ...
- 3
1
vote
0
answers
332
views
You don't have permission to access /{local} on this server even though allowed from all
I'm trying to set up a local repository on my cluster
but when I try to access to the defined directory with
curl "http://$(hostname -f):80/local_HDP/"
, the error messages shown
<html><...
0
votes
1
answer
3k
views
Set permission and ownership correctly, still getting "storage/logs/laravel.log" Permission denied
There are lots of Q&As for this problem:
"storage/logs/laravel.log" could not be opened: failed to open stream: Permission denied
The solution, correctly, is to set the right permissions for ...
- 101
0
votes
0
answers
47
views
sh(conf) script can not run php file
I am trying to run a php script within my fail2ban action file.
When I disable selinux everything works fine, but when I enabled it again I get a constant error in my fail2ban log.
php.conf (action)
...
- 101
0
votes
1
answer
270
views
Why has my existing Nginx failed to run after rebooting the system which says 13: Permission denied, although chmod 777?
My Nginx configured with docker.
but when I reboot my system my existing nginx failed to run, I face the error message: [emerg] 1#1: open() "/etc/nginx/nginx.conf" failed (13: Permission denied)
- 1
0
votes
1
answer
421
views
Change SE Linux context label of a specific folder inside a cifs mount
I have cifs mount on my setup mounted via /etc/fstab with context set to system_u:object_r:cifs_t:s0.
There are some specific folders that I want to override default context to set public_content_t ...
4
votes
2
answers
10k
views
How to run an X11 application (xclock) on podman?
podman says Error: Can't open display: localhost:10.0 when I try to run xclock in a container with the command
podman run -ti -e DISPLAY --rm -v
~/.Xauthority:/root/.Xauthority:Z localhost/...
- 336
1
vote
2
answers
364
views
SElinux enforcing status is different from the config file
Deal All
I have a problem with SELinux.
In the config file SELINUX=enforcing
but when i run getenforcing command i get disabled.
I rebooted the server to see if there is any changes but stil the ...
- 11
0
votes
1
answer
708
views
How to mount iso file with selinux context
I am trying to mount iso file in /var/ftp/pub/centos
When I try to access those files using ftp in web browser it's not working . After troubleshooting I found that it's because of selinux.
dr-xr-...
- 4,073
0
votes
2
answers
2k
views
selinux preventing PHP/Roundcube from connecting to local SMTP or IMAP ports
EDIT: I've determined the cause is selinux. After disabling enforcement with setenforce 0 everything worked. So the new question is, what's going on with selinux? I only have default CentOS 7 policies....
- 631
0
votes
1
answer
188
views
Fedora 27 LXDE closing lid doesn't lock the screen (selinux acpid xscreensaver-command)
I've installed acpid and setup an event for lid close which works in debug mode, however I cannot get it to work when acpid is started by systemd.
I used the suggestions here to configure acpid
Linux ...
- 261
0
votes
2
answers
2k
views
H00035: access to "file.php" denied, how to properly setup SELinux?
I have been struggling for the last days with this issue and so far I am not able to find any solution. The issue in a few words is (error message):
H00035: access to index.php denied because ...
- 385