Fedora Security :: SELinux Prevents Httpd From Reading Homes - Intrusion Attempt?
Aug 30, 2010
the following security alert made me checking my httpd.conf:
Code:
Summary:
SELinux is preventing the http daemon from reading users' home directories. Detailed Description: SELinux has denied the http daemon access to users' home directories. Someone is attempting to access your home directories via your http daemon. If you have not setup httpd to share home directories, this probably signals an intrusion attempt. Even though in httpd.conf there is a line that reads
Code:
LoadModule userdir_module modules/mod_userdir.so
in the same conf-file the access to home-dirs is disabled:
Code:
<IfModule mod_userdir.c>
[Code]....
View 12 Replies
ADVERTISEMENT
Jul 12, 2010
I am setting up a web server and SElinux keeps stopping httpd/appache and making it fail. Everything works fine when SElinux is set to permisive, so I know it is SElinux causing the problem. I have all the apache/httpd items allowed in the SElinux bool and even added the line the troubleshooter told me to add but the problem still persists. Here is what SElinux puts out:
[Code].....
several times and it does nothing. I have all the permissions set to Apache as owner and group and allow execution on all the files.
View 1 Replies
View Related
Jul 13, 2010
I am learning SELinux from LinuxCBT and I'm stuck at one place. Now video is on RHEL 4 (so tell me if things has changed since, cause I can't find anything related) shows how to disable SELinux security on httpd.first I don't know diff between initrc_t and uncofined_t; and second I don't know if something is wrong is everything is all right.
View 1 Replies
View Related
Oct 7, 2010
I have a problem every time I start steam trough wine SELinux is blocking it can I switch off SELinux or do something so steam can start. I have already tried to ignore it and that doesnt work does someone know how to fix this.
View 1 Replies
View Related
Oct 5, 2010
all of the website content will be on a separate partition called "/websites". I've got SELinux enabled, and set the context on /websites and subdirectories to "public_content_t", so that httpd (Apache) can access this partition. This works. However we also have mysql databases stored on this partition as well, and we are getting errors like this in /var/log/auditd/audit.log: type=AVC msg=audit(1286249333.390:326): avc: denied { search } for pid=6167 comm="mysqld" name="/" dev=sda3 ino=2 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_rublic_content_t:s0 tclass=dir
I've tried setting the context to "mysqld_db_t" on the MySQL database folders, but it appears that it cannot get to the partition at all, or anything outside of /var/lib/mysql/. How can we get mysqld to access databases on this partition? Right now there are symlinks from folders in /var/lib/mysql/ that go to each database on /websites partition. Setting SELinux to Permissive mode gets everything to work fine. Basically with SELinux in Enforcing mode, we're getting errors in the PHP applications that httpd can't connect to the databases.
View 4 Replies
View Related
Sep 1, 2010
My Fedora box is giving me an SELinux security error:
Code: Summary:
SELinux is preventing the samba daemon from reading users' home directories.
Detailed Description:
SELinux has denied the samba daemon access to users' home directories. Someone
is attempting to access your home directories via your samba daemon. If you only
setup samba to share non-home directories, this probably signals an intrusion
attempt. For more information on SELinux integration with samba, look at the
samba_selinux man page. (man samba_selinux)
Allowing Access: If you want samba to share home directories you need to turn on the
samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
Fix Command:
setsebool -P samba_enable_home_dirs=1
Additional Information:
Source Context system_u:system_r:smbd_t:s0
Target Context unconfined_u:object_r:user_home_dir_t:s0
Target Objects /home/micah [ dir ]
Source smbd
[code]....
View 2 Replies
View Related
Jun 24, 2011
I didn't see another thread about Google Picasa being blocked by SE Linux. How do I tell my machine to allow it to run? I have the same problem with a program called Smartboard that I have installed but can't open.
View 1 Replies
View Related
Apr 13, 2011
this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]
[code]....
View 5 Replies
View Related
Mar 11, 2010
Is an ubuntu live cd totally secure from intrusion? Stated another way, even if someone knows my ip address, can the live cd environment be hacked into in any way so that another could monitor what I am doing on my computer? From my understanding the live cd is read only, so that would prevent anything malicious being installed on it. I am curious if there are other ways a box running a live cd could be tapped into.
View 6 Replies
View Related
Mar 12, 2010
How to detect intrusion in my desktop ubunta 9.10 version ? which command that could direct tell me about any change in my files ? I would like the procedures that protect my system from intrusion , i am using firestarter and keep tracing the network by using netsta -tap ?
View 2 Replies
View Related
Feb 16, 2011
software to use against Intrusion and such. The thing is that I don't want to have several anti virus programs running at the same time due to collision.
View 9 Replies
View Related
Apr 1, 2010
My desktop (the system AIDE runs on) is reguarly updated, and the file output can become enormous, making it hard, if not impossible, to track down out of place files. I have recently thought of uninstalling it since I can't tell what is out of place and what isn't, but before I do that I wanted to ask everyones opinion regarding what would be the best way to handle such a program on a desktop that has some core files changed reguarly. This sytem is running Gentoo, so updates affect a number of directories.
View 6 Replies
View Related
Dec 13, 2010
I'M A NOVICE and some days ago my web server was down (apache issue) and I found the following file called .bash_history in the folder /var/www/ :
cd /tmp
ls
wget [MODERATED]
[code]...
View 3 Replies
View Related
Jun 17, 2011
What if two programs say ftpd and httpd need to acces the same directory? Any way to set context type of that directory to httpd_t and ftpd_t? What do you do in a case like this?
View 2 Replies
View Related
Feb 23, 2010
I need to allow users who are not root to viewthe /var/log/httpd/error_log while theyare developing web pages. The default permissionof the directory /var/log/httpd/ is:drwx------ 2 root root 4096 Feb 21 04:02 httpdOf course I could just go "chmod 755 httpd", butI would like to know the "safe" way to allownon root users to access the httpd logs.Shall I add the users to the "apache" group andthen:chown apache httpd chown 750httpd
View 3 Replies
View Related
Oct 20, 2010
I'm attempting to get MapServer running on my Fedora 13 computer. I was able to install with the package manager, and the executable (mapserv) was originally placed in /usr/sbin. But I need it in /var/www/cgi-bin to work on the webserver. So I copied the file to the right location. Unfortunately, it doesn't have the correct SELinux context. Here's the message from the troubleshooter:
SELinux denied access requested by /var/www/cgi-bin/mapserv. /var/www/cgi-bin/mapserv is mislabeled. /var/www/cgi-bin/mapserv default type is httpd_sys_script_exec_t, but its current type is httpd_sys_script_exec_t. Changing this file back to the default type, may fix your problem.
How's that for circular logic? Does anyone have an idea what the correct SELinux context for a cgi-bin executable might be?
View 3 Replies
View Related
Nov 10, 2010
Trying to keep selinux enabled. When I start SeLinux Troubleshooter from the menu, which is inautostart as well, It tells me SELinux not enabled, sealert will not run on nonSELinus systems".How do I get SELinux permanently started then
View 10 Replies
View Related
Jan 17, 2011
My newly installed Fedora-14 (64-bit) has SELinux disabled. I can't find any way to enable it. I tried to set it manually in /etc/selinux/config to enforcing or permissive but nothing happens after reboot. In GUI configuration tool it is set to disabled and grayed out so that there is no way to enable it there. Is there another way to enable SELinux?
View 11 Replies
View Related
Apr 30, 2011
I tried to log in to my xguest account and it asked for a password, which it shouldn't, so there's a problem with SELinux.When I type getenforce it says it is disabled, yet when I go to /etc/selinux and look at the config, it is in enforcing mode and not commented out, type is strict.When I go to the SELinux management GUI I can't change the current enforcing mode and it's set to disabled and default to enforcing.
View 2 Replies
View Related
May 11, 2009
I am new to Fedora 10, and to SELinux too.
I would like to know how can I prevent from users with role user_r to connect to Internet with firefox.
View 2 Replies
View Related
Jul 8, 2009
I am running Fedora 11 and every time i plug in my iPod it tells me... SELinux is preventing mkdir (podsleuth_t) "read" security_t ... I have no idea on how to create a policy module to allow access.
View 2 Replies
View Related
Mar 29, 2010
I get a SELinux relabel often even without changing stuff. SELinux troubleshoot doesn't show any error nor are there any messages in /log/messages that give any clue. Where should I look to see whats happening ?
2.6.31.12-174.2.22.fc12.x86_64
selinux-policy-3.6.32-103.fc12
View 2 Replies
View Related
Jul 11, 2010
I wonder if SELinux really are necessary for a home desktop ?
It only makes my computer use more problematic than it already is.
What can happend if I uninstall it on my Fedora 13 dist ?
Is the hole Internet going to come in to my computer and destroy it ?
If I uninstall SELinux, is the firewall uninstalled also ?
View 14 Replies
View Related
Jul 19, 2010
I have recently upgraded from FC12 to FC13, and last week I updated all packages using YUM. The system is running as a VM inside CentOS 5.5 using KVM. SELinux is enforcing, using the targeted policy. Bugzilla is version 3.6.1 and was NOT installed using RPM or YUM.
Bugzilla was working OK on this machine until SELinux was upgraded last week from 3.7.19-28 to 3.7.19-33, and is still broken after testing 3.7.19-37 from the testing repo. With SELinux in enforcing mode, apache returns error 500 when I browse to the main bugzilla page. The apache error log shows this:-
Code:
[Mon Jul 19 13:15:08 2010] [error] [client 192.168.40.1] (13)Permission denied: exec of '/var/www/html/bugzilla/index.cgi' failed
Nothing, and I mean absolutely nothing, is recorded in /var/log/audit/audit.log, /var/log/messages or /var/log/secure.
[Code]....
View 5 Replies
View Related
Mar 17, 2011
i get this warning from selinux :
"SELinux is preventing /bin/mailx from append access on the file /var/lib/rkhunter/rkhcronlog.OmRFCZOynG."
I tried to fix it by "# /sbin/restorecon -v /var/lib/rkhunter/rkhcronlog.OmRFCZOynG" as suggested by SELinux but it comes back with another warning, but with a different /rkhcronlog.xxxxxxxxx...
i think its just a way of rkhunter logging issue -. attached here is the actual error message by selinux.
View 6 Replies
View Related
Jul 20, 2011
I just install Fedora 15 and I see the SELinux Policy Genertation Tool and the SELinux Administration application in the app launcher but I do not see the SELinux Troubleshooter app. I seems to be missing. How do I get it on my system?
View 2 Replies
View Related
Jul 24, 2011
I need to change SELinux policy to permissive and then back to enforced for an installation. I understand that I should be able to do that through the SELinux Administration window accessed through System -> Administration ->SELinux Management. But I do not have any real sysadmin tools available in my Fedora 15 Gnome Gui interface. Am I missing something, or should I use some sort of similar command line tool to do this?
View 2 Replies
View Related
Mar 6, 2009
I know very little about SE Linux and I've heard that in some situations it's better to disable it. For a home user, is it important? Does it improve your life ? or does it get in the way ?
Last week some update stopped my printing and I had to install the new hplip from HP because it wasn't in the Fedora repos to correct the problem. I don't know if SELinux had anything to do with it, but today when I disabled SELinux a few minutes later I get a star up on the toolbar and when I clicked on it it mentioned something about hplip. It wouldn't make any sense to me but maybe this has happened to others.
View 9 Replies
View Related
Mar 15, 2009
SElinux is blocking my internet connection and every time when I connect t the internet (pppoe connection) I ge message.
View 2 Replies
View Related
Jun 4, 2009
Currently working on the targeted policy, I need a help in doing the following things as quick as possible:
1- How to create a totally new SELinux user (not mapping new linux user to SELinux user) I want a new user with no roles or with a maximum of 1 role. I also need how to compile the new user so I can used it for mapping users. At the time, I've tried creating a new file inside /etc/selinux/targeted/contexts/users similar to the other users inside this directory, but it did not actually seem to appear when using the command semanage to list SELinux users : semanage user -l
2- How to create a totally new SELinux role (empty for now) ? and how to make the relation between this new role and domains or types.
3- How to create new domain, actually following some old instructions I created the .fc and .te files, but not the .if file, which is more complicated than the other 2 file.
View 10 Replies
View Related