Security :: SELinux Is Preventing Connectto Access?
Jan 13, 2011
I'd like to grant /usr/sbin/sendmail.sendmail "connectto" access to the unix_stream_socket /var/lib/imap/socket/lmtp.How do I do that?I want to eliminate error messages that keep appearing in my message log:
/var/log/messages:Jan 13 11:45:29 e setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail from connectto access on the unix_stream_socket /var/lib/imap/socket/lmtp. For complete SELinux messages. run sealert -l 05df828f-4402-
[code]....
View 1 Replies
ADVERTISEMENT
Mar 13, 2009
I went to print something and I get this message: Summary: SELinux is preventing access to files with the default label, default_t.
Detailed Description: SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label.
View 3 Replies
View Related
Jul 15, 2011
This is the "alert" I've received from SElinux Alert Browser after closing "rythmbox" application that opened my CreativeZen mediaplayer:
Code:
SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sys_ptrace capability
in dmesg it has:
[code]....
View 3 Replies
View Related
Dec 31, 2009
I receive the message "SELinux is preventing /usr/sbin/vsftpd "net_raw" access" many times. Found this bug at redhat but really do not understand what i should do about it ((( Kindly let me know how to change this to normal. Shut down Selinux is not the way out.
View 14 Replies
View Related
Feb 3, 2010
I am running Postfix on my CentOS (latest) powered box with SELinux at Enforcing mode.
This is what I get each time Postfix tries to send e-mail:
Quote:SELinux is preventing postdrop (postfix_postdrop_t) "write" to pipe (initrc_t).
View 4 Replies
View Related
Mar 6, 2010
I'm trying to setup ssh access on my Fedora 12 laptop. I get the following error message in /var/log/secure when I try to login from another machine using ssh and the login is denied:
Code:
sshd[3025]: error: Could not get shadow information for <user>
sshd[3025]: Failed password for <user> from <ip> port <port> ssh2
If I do a 'setenforce 0' I can login and no error is logged.
View 10 Replies
View Related
Nov 2, 2010
- Newly installed Fedora 14- Firefox 3.6.12- All latest Fedora updates installed- Denial occured after the installation of jre1.6.0_22 from here - Linux (self-extracting file) and creating symbolic links as follows;
Code:
[root@Freedom opt]# ln -s /opt/jre1.6.0_22/lib/i386/libnpjp2.so /usr/lib/mozilla/plugins/
Code:
[code]....
View 3 Replies
View Related
Sep 1, 2010
My Fedora box is giving me an SELinux security error:
Code: Summary:
SELinux is preventing the samba daemon from reading users' home directories.
Detailed Description:
SELinux has denied the samba daemon access to users' home directories. Someone
is attempting to access your home directories via your samba daemon. If you only
setup samba to share non-home directories, this probably signals an intrusion
attempt. For more information on SELinux integration with samba, look at the
samba_selinux man page. (man samba_selinux)
Allowing Access: If you want samba to share home directories you need to turn on the
samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
Fix Command:
setsebool -P samba_enable_home_dirs=1
Additional Information:
Source Context system_u:system_r:smbd_t:s0
Target Context unconfined_u:object_r:user_home_dir_t:s0
Target Objects /home/micah [ dir ]
Source smbd
[code]....
View 2 Replies
View Related
Apr 13, 2011
this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]
[code]....
View 5 Replies
View Related
Aug 24, 2010
I configure named and stumble upon the following problem: named is serious about user rights, every config file named uses should be named:named. I set rights to named:named as follows, but they get changed to root:named when I restart named as root. The same thing happens with SELinux context. This results in access denied type errors.
View 1 Replies
View Related
May 15, 2010
I have a problem as following: "using iptables to prevent IP spoofing".
View 4 Replies
View Related
Jul 9, 2010
I am trying to lock down our application and server with iptables. Anybody have any idea how to prevent accesses to the application from another application? Basically I opened up the ports 80 and 443 for the application server. However, the application points to other apps (ie. database, ldap). I want to limit what it can connect to or who can connect to it. Bascially I can limit who connects to the server itself but the application can still get input from outside servers.
View 4 Replies
View Related
Jun 4, 2011
is it possible to block an application from using the network? If yes, how? I read it's possible with iptables and with selinux... Also, what about creating a user who can't connect and run the application with that user?
View 7 Replies
View Related
Jul 13, 2010
I am learning SELinux from LinuxCBT and I'm stuck at one place. Now video is on RHEL 4 (so tell me if things has changed since, cause I can't find anything related) shows how to disable SELinux security on httpd.first I don't know diff between initrc_t and uncofined_t; and second I don't know if something is wrong is everything is all right.
View 1 Replies
View Related
Apr 21, 2011
When I'm logged into my account, I can't shut down the computer if someone else is also logged in unless I supply the root password. However, if I log out, I can shut down from GDM without being challenged, even though another person is logged in, which could cause problems if that person is in the middle of some work. Is there a way to password-protect the gdm shutdown function if people are logged in?
View 2 Replies
View Related
Nov 5, 2010
What methods exits to restrict which directories a user may browse on the filesystem. I want to prevent php scripts from being able to view system files. I've seen two solutions, but neither are satisfactory:Chrooting a directory that the script is in, but this requires that all the necessary php libraries/files are moved/copied into the right place relative to the chroot directory. I don't feel that I have the technical ability to achieve this.Putting php into safe mode and disabling *nasty* php functions. But this is ineffective if just one obscure *bad* php function is missed.
View 5 Replies
View Related
May 8, 2011
I'm trying to set up an unprivileged user on some field systems running 11.04 with the standard Gnome shell (rather than Unity), and ideally that user would not have access to the command line. The user can log in through GDM (but not the text consoles) with no password, so I need to provide the absolute minimum of privileges; basically the user should only be able to run one program.
I've already set the /desktop/gnome/lockdown/disable_command_line key with gconf-editor for that user, which successfully disabled the "Run Command" dialog. Unfortunately, even though the description of the key in gconf-editor says "prevents the user from accessing the terminal...", the terminal emulator is still accessible from the Applications menu, and I haven't been able to find a good way of disabling the terminal or removing it from the menu. The only thing that occurs to me is an ugly hack: replace the gnome-terminal binary with another that checks to make sure the user is not the unprivileged one and then starts gnome-terminal.
View 5 Replies
View Related
Sep 11, 2010
how the file is generated or what it contains is not important at this point.The important question is how to prevent the file from being downloaded and its contents from being displayed in the browser window?Since it is not recognized by the web browser so it is downloaded on the system. That way, what the script does is exposed to the outside world.Okay, I usually keep such scripts in../cgi-bin/. But for files (text files, in the example) which are being uploaded by a user should not be downloaded by another user.
View 10 Replies
View Related
Jul 26, 2011
I just downloaded Fedora 15 desktop to a USB device. I am able to boot to the device and load the desktop with errors.I receive the following:
SeLinus is preventing /usr/Libexec/colord from getting access on the blk_file /dev/dm-0
Plugin: catchall
Source Process: /usr/libexec/colord
Attempted: getattr
On this blk_file: /dev/dm-0
I also am not able to use my wireless network. This is being booted on a Dell Inspiron 1545 Vista Sp2 system with 4 gb or RAM.The wireless network connection works fine with Vista.
View 2 Replies
View Related
Oct 20, 2010
I'm attempting to get MapServer running on my Fedora 13 computer. I was able to install with the package manager, and the executable (mapserv) was originally placed in /usr/sbin. But I need it in /var/www/cgi-bin to work on the webserver. So I copied the file to the right location. Unfortunately, it doesn't have the correct SELinux context. Here's the message from the troubleshooter:
SELinux denied access requested by /var/www/cgi-bin/mapserv. /var/www/cgi-bin/mapserv is mislabeled. /var/www/cgi-bin/mapserv default type is httpd_sys_script_exec_t, but its current type is httpd_sys_script_exec_t. Changing this file back to the default type, may fix your problem.
How's that for circular logic? Does anyone have an idea what the correct SELinux context for a cgi-bin executable might be?
View 3 Replies
View Related
Nov 10, 2010
Trying to keep selinux enabled. When I start SeLinux Troubleshooter from the menu, which is inautostart as well, It tells me SELinux not enabled, sealert will not run on nonSELinus systems".How do I get SELinux permanently started then
View 10 Replies
View Related
Jan 17, 2011
My newly installed Fedora-14 (64-bit) has SELinux disabled. I can't find any way to enable it. I tried to set it manually in /etc/selinux/config to enforcing or permissive but nothing happens after reboot. In GUI configuration tool it is set to disabled and grayed out so that there is no way to enable it there. Is there another way to enable SELinux?
View 11 Replies
View Related
Apr 30, 2011
I tried to log in to my xguest account and it asked for a password, which it shouldn't, so there's a problem with SELinux.When I type getenforce it says it is disabled, yet when I go to /etc/selinux and look at the config, it is in enforcing mode and not commented out, type is strict.When I go to the SELinux management GUI I can't change the current enforcing mode and it's set to disabled and default to enforcing.
View 2 Replies
View Related
Jan 12, 2011
having trouble understanding selinux. the domain is cluster containing permissions. a type is nothing more than a label applied to something like a file,right? so instead of applying the permission set of foo domain to the /etc/shadow file it would be apply label shadow_t to /etc/shadow and make the shadow_t apart of the foo domain?
View 1 Replies
View Related
Feb 25, 2011
We have installed RHEL 5.4 on our servers and everything is running fine. Now I have gone through various server hardening checklist and most of them suggest to enable SELinux. We have several services running on Linux box. Now my question is, do we have to make any chagnes to the existing configurations if we enable SELinux. Or we just enable SELinux and leave it as it is. Because I have had prior experiences where SElinux will stop many services and restrict access to many libraries when enabled.
View 1 Replies
View Related
Feb 3, 2011
When I turn on my SeLinux to enforcing mode on my Red Hat system ssh stops working and my http server stops responding.
I went into the SeLinux GUI and enabled things in there but still it wont work.
Any thoughts on what to check?
permissive mode and disabled they work
I read several articles that say it should not be affect by SeLinux and the setting look correct but the only thing I do is turn on SeLinux and ssh /httpd stop working
ps -eZ | grep sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh 432 ? 00:00:00 sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh 2426 ? 00:00:00 sshd
[root@goxsa1340 ~]# ps -eZ | grep httpd
user_u:system_r:httpd_t 3044 ? 00:00:00 httpd
[Code].....
View 11 Replies
View Related
May 11, 2009
I am new to Fedora 10, and to SELinux too.
I would like to know how can I prevent from users with role user_r to connect to Internet with firefox.
View 2 Replies
View Related
Jul 8, 2009
I am running Fedora 11 and every time i plug in my iPod it tells me... SELinux is preventing mkdir (podsleuth_t) "read" security_t ... I have no idea on how to create a policy module to allow access.
View 2 Replies
View Related
Mar 29, 2010
I get a SELinux relabel often even without changing stuff. SELinux troubleshoot doesn't show any error nor are there any messages in /log/messages that give any clue. Where should I look to see whats happening ?
2.6.31.12-174.2.22.fc12.x86_64
selinux-policy-3.6.32-103.fc12
View 2 Replies
View Related
Jul 11, 2010
I wonder if SELinux really are necessary for a home desktop ?
It only makes my computer use more problematic than it already is.
What can happend if I uninstall it on my Fedora 13 dist ?
Is the hole Internet going to come in to my computer and destroy it ?
If I uninstall SELinux, is the firewall uninstalled also ?
View 14 Replies
View Related
