I'm getting the error described in this bug. The fix is described in the bug:Code:The following additional SELinux permissions were found to resolve the situation:
samba_domtrans_winbind_helper(httpd_t)
allow httpd_t winbind_helper_t:process signal;
apache_append_log(winbind_helper_t)
[code].....
I've got a red hat box joined to a win 2k3 domain and I'm using pam_mkhomedir.so to create user's home directories on first login to the box. extract from /etc/pam.d/sshd Code: session required pam_mkhomedir.so skel=/etc/skel umask=0022 The problem I have is that this only works if I switch SELINUX off (i.e. set enforcing to disabled ). Unfortunately, the error messages are not very helpful. Extract from /var/log/secure below:
[Code]...
I accidently reset the SELINUX context on the /var folder from "var_t" to user data. Now I cant go back and set it to "var_t" and i cant access my website anymore
View 3 Replies View RelatedI am having a bit of an issue with a NFS configuration. Initially I had no issues when both the server and client were both running Ubuntu Karmic. The client is now running Fedora Core 12 and when I mount the share I get "You do not have the permissions necessary to view the contents of Mnt". I came across this troubleshooting guide and it suggests that the issue may be the UIDs are not in sync on the server and client. If this is the issue, which usernames do I need to sync and how would I do that?
View 2 Replies View RelatedYou can find a list of all the booleans for SELinux (Fedora 10) using getsebool -a My question is, is there a reference online that describes each one. Most of obvious but it's one of those "I have to know because it's there situation).
View 5 Replies View RelatedI get the SELinux and wine error. How can this be fixed?
View 1 Replies View RelatedI have accidentally locked myself out in the following manner. I have Fedora 13 with SElinux. The whole hard drive was encrypted at install with Fedora's standard method. Upon logging into a non-root account called "hoss", I set the policy (in gnome) System menu -> Administration -> SElinux administration -> User Mapping -> added the logged on user as a SElinux user with only user_u privileges. After reboot, I successfully log in as hoss, but now I get an error when trying to open the SElinux administration, any open office program, or any task requiring elevation with root password (the prompt never comes up). What is worse is I did not set the ability to login the console as root. This user now does not have write privileges to any of root's documents. I cannot access the hard drive from a remote source because it is encrypted. Is there any way whatsoever to now elevate myself to root to reconfigure SElinux? When I open the SElinux administration Should there not be a prompt that gives me a root password to be able to correct SElinux by removing "hoss" from the list? As of right now this account seems to be totally unable to be elevated to higher privileges. I cannot even use the Add/Remove software feature to apply patches to SElinux without a root password. Elevating to su in bash is also blocked.
View 3 Replies View RelatedI'm using CentOS 5.3, and I want to allow my samba server from selinux. I disabled my selinux and it works fine, but I want to keep my seline firewall on and want to allow other workstation to access my samba server.
View 8 Replies View Relatedi configured sendmail with squirrelmail in RHEL5.3
it is working fine. i can send the mail and receive the mail .
but when i try to send the mail a selinux error is coming[but mail is sending successfully ]. i don't under stand this message.
Quote:
Summary:
SELinux is preventing sendmail (system_mail_t) "read" to eventpoll (httpd_t).
Detailed Description:
SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for eventpoll,
restorecon -v 'eventpoll'
If this does not work, there is currently no automatic way to allow this access.Instead, you can generate a local policy module to allow this access - see FAQ(url) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended.Please file a bug report (url) against this package.
Additional Information:
Source Context system_u:system_r:system_mail_t
Target Context system_u:system_r:httpd_t
Target Objects eventpoll [ file ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
code....
Code:
$ ./configure --with-md5-passwords --with-selinux --with-pam
[snip]
Host: i686-pc-linux-gnu
Compiler: gcc
[Code]..
I try to install IPsec-Tools on Slackware 13, but I get an configure error: configure: error: Security Context requested, bu no selinux support! Aborting. I'm linux newbie and I'm following a slackware-basics tutorial, I did as in the tutorial, but the configure stops and aborts:
Code:
# CFLAGS="-O2 -march=i486 -mcpu=i686"
./configure --prefix=/usr
--sysconfdir=/etc
--localstatedir=/var
[Code]...
What can I do? How can I enable/install selinux support? I guess it's related with AH and ESP protocols, which in my kernel are defined as modules (m). If so, how can I enable them?
am trying to Selinux in enforcing mode, but its giving below error.I have Ubuntu server 10.10root@ubuntu:/common# setenforce 1setenforce: SELinux is disabled
View 1 Replies View RelatedI always thought that whenever /usr/sbin/setsebool was used, it would write either a "0" or a "1" into the corresponding boolean file. All SELinux boolean files are in /selinux/booleans but If I check, for example, this boolean ...
[Code]....
i want to know what is use or benefit of using s and t permission?i have used them but could not understand its uses.please explain me with suitable example.Also tell me about umask command to flag on s and t.
View 1 Replies View RelatedI always thought that whenever /usr/sbin/setsebool was used, it would write either a "0" or a "1" into the corresponding boolean file. All SELinux boolean files are in /selinux/booleans but If I check, for example, this boolean ...
$ sudo /usr/sbin/getsebool ftp_home_dir
ftp_home_dir --> on
It returns a positive, but if I do
$ sudo less /selinux/booleans/ftp_home_dir
I get ... read error (Press Return)
Furthermore, if I list the boolean file itself, it shows it to be empty
$ sudo ls -l /selinux/booleans/ftp_home_dir
-rw-r--r-- 1 root root 0 Aug 9 11:09 /selinux/booleans/ftp_home_dir
Where is SELinux storing the booleans then?
This is on CentOS 5.4
I'm able to connect to ftp as a virtual user. It was also difficult as nowhere mentioned, that it should be done with SSL. Anyway I found the answer and got connection. But now I can't connect to ftp server as system user. It gives me "530 Permission denied", or if I delete the user from the file denied_users, - "530 Login incorrect".
1. Still I can't understand, how I can log in to FTP server with a system user.Also some other questions regarding this matter:
2. My httpd server Apache has a virtual hosts located in "/home" directory.The scripts create users in "/var/ftp virtual_users". Will it cause any problem if I will change them to "/home"? All I need to do with this is ability to have several virtual hosts in one server with separate access to each of them via FTP. And 1 account with access to all files in "/home".
3. In my ftp client I can see the owner of virtual host "ftp" instead of username.
Whenever i restart postgres in my server, Selinux is not letting it log anything. In /var/log/messages, it says.
Quote: Jan 28 14:15:43 dataserver kernel: audit(1264709743.263:38): avc: denied { append } for pid=5986 comm="postmaster" name="pgsql.log" dev=sda8 ino=3932166 scontext=root:system_r: postgresql_t tcontext=root: object_r:var_log_t tclass=file
Jan 28 14:15:43 dataserver kernel: audit(1264709743.263:39): avc: denied { append } for pid=5986 comm="postmaster" name="pgsql.log" dev=sda8 ino=3932166 scontext=root:system_r: postgresql_t tcontext=root: object_r:var_log_t tclass=file
I cannot disable SeLinux in this server.
It seem that I can set selinux to permissive but when i reboot it turns back on? Can I unistall it? I am running RED HAY 5 and Centos 4
View 2 Replies View RelatedI don't think it has anything to do with the config file.More to do with SElinux. I need to know how to configure SElinux so I can see my samba share when SELinuxis on. When I setenforce 0 I can seen all the files and folders set it to setenforce 1 cannot see anything.Here is the output when I ran [root@fileserver /]# getsebool -a | grep smballow_smbd_anon_write --> onsmbd_disable_trans --> onThese two options were off I tried turning them on.This is another one of the commands I tried running. I did change a few options but I am not sure which I do need to change. I am running a stand alone server so I don't need the DC option.
[root@fileserver /]# getsebool -a | grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> off
[code]....
I decided that I'd torture myself and try to get a server up and running with SELinux fully enabled. I so far have figured out virtual hosting, vsftpd, and SSH to work with it nicely, but I can't figure out what to do to get AWstats to be viewable through a browser with SELinux enabled. This is what I get from /var/log/messages:
Code:
Mar 19 15:09:34 localhost kernel: type=1400 audit(1237496974.987:69): avc: denied { getattr } for pid=4769 comm="httpd" path="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl" dev=sda1 ino=1267968 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_awstats_script_exec_t:s0 tclass=file
Mar 19 15:09:34 localhost kernel: type=1400 audit(1237496974.987:70): avc: denied { getattr } for pid=4769 comm="httpd" path="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl" dev=sda1 ino=1267968 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_awstats_script_exec_t:s0 tclass=file
Could someone explain to me what I should be looking for in these messages? Or what I would need to do to fix it?
I'm running a Samba server (3.5.2-60.fc13) on Fedora 13 (64 bit). I want to share the user home directories and want to allow following of symlinks out of the share tree. So in smb.conf I used
unix extensions = no
wide links = yes
For SELinux I did:
setsebool -P samba_enable_home_dirs=1
getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
[code]....
However I can't follow the symlinks when mounting my home directory on a Windows machine, unless I disable SeLinux.
I'm trying to ssh into my Ubuntu box, but the connection is getting denied.
When I look at /var/log/auth.log, I see the following:
Code:
I googled for this, and ran across the following: [url]
Here's the part that I think relates to the problem that I'm having:
Quote:
It's not clear from context which configuration file needs to be edited, and I'm not at all familiar with SELinux configuration.
When I try to login as a user, I get the dreaded "500 OOPS: cannot change directory:". Almost every posting I can find related to this problem was due to SELinux being enabled. My SELinux is operating in permissive mode. So why can't it open the home directory when I log in as the tarheelnk user?
Code:
[root@server1 home]# ls /home/ -l
total 36
-rw------- 1 root apache 7168 2009-09-11 16:24 aquota.group
-rw------- 1 root apache 7168 2009-09-11 16:30 aquota.user
drwx------ 2 root root 16384 2009-09-11 10:07 lost+found
drwsrws--- 4 tarheelnk apache 4096 2009-09-11 14:58 tarheelnk
code....
I am trying to run ucertify under wine, but when I try to run I receive the error: unable to create copy of userdatatemplate.ucp to userdata.ucp. make sure you have enough permission to create file in C:program filesucertifyprepengine to create a new file.
I believe I have provided full access to the ".wine>dosdevices>c" so I don't know if I'm missing something obvious?
Has anybody faced this error and overcome it?
I have three partitions. One for each: Windows, Debian and my files. I wanted a partition available in all systems, so I created FAT32 and mounted it as /data and drive D. In linux I created symlinks in my /home folder to /data/documents/xxx/xxx. I wanted to save my projects on that partition, but in every IDE I tried I get the permission denied error.
Screenshot
What should I do to make /data writable for IDEs? As normal user I have full access to it.
I configure named and stumble upon the following problem: named is serious about user rights, every config file named uses should be named:named. I set rights to named:named as follows, but they get changed to root:named when I restart named as root. The same thing happens with SELinux context. This results in access denied type errors.
View 1 Replies View Relatedthis costed me a whole day of trying and retrying. I set up a small home server with apache, php, and mysql.
System infos:
Linux 2.6.31-22-generic-pae
Ubuntu 9.10 Karmic Server edition
Apache/2.2.12 (Ubuntu)
Until now, it served happily a couple of sites, with no problems. But now, I wanted to set up my ftp server to point to the same directory as one of the sites, for me to be able to upload and manage files via ftp. As a server I normally use proftpd. With my usual config, proftpd runs with its own user and simulates the user ftpuser:ftpgroup when creating files. So I just changed all the files to be owned by this user and group. Permissions set to 770.
Everything works fine, and I'm able to access the data via ftp. BUT, when I try to browse my site the usual way (i.e. point firefox to its address) a 403 forbidden error is issued. Of course, you will say: you didn't allow access to apache. Well, I remembered that right away, and added the user www-data to the ftpgroup user. Now I espect apache to be able to read and serve the files.
Still same problem. 403. The apache error log is full with "permission denied" errors. After many attempts, I logged in as the user www-data, and tested access to the files. This way I'm able to cd into the directory, and read-write the files with nano. As a test, I tryed the other way around. Setting www-data:www-data as the owner of the files, and adding the ftpuser to the www-data group. This way apache works, but proftpd does not. Most probably it has something to do with a misunderstanding of groups permissions or the way this two deamons access the files.
My Torrents will not start due to a "Permissions denied" error.The folders with the files being download have it set 777, so I'm thinking it's something else.When I look at the auth log, It does appear that it is that folder causing the issue.I can keep guessing the cause of permissions, but I do not know how to trace the problem.
View 1 Replies View RelatedI have installed PostgreSQL 9.0 in Ubuntu 11.04.The following is a bit long-winded and cross-relates to PostgreSQL,I ran the PostgreSQL installation thus:
Code:
sudo su
./postgresql-9.0.4-1-linux.bin[code]....
The problem, obviously, is the "Permission denied" error. What/where am I going wrong? From my directory listing I can see that the permissions for gjd_sentinel_data are drwxrwxrwx with owner/group of postgres. On that basis I can't see why there is the problem.I am wondering if it has something to do with the psql process running as, or owned by, user postgres? Or that I am running as the wrong user? Or something else beyond my experience?
---
Ubuntu 11.04 with GNOME2 classic desktop
Single user.
Dual boot with Windows XP Home
I installed Sun's virtual box 3.1 under Ubuntu 9.04. It worked flawlessly. I upgraded to to 9.10 and know I get a kernel error. rc=-1908 Now I cannot get Windows to load.
View 2 Replies View Related