Tried google and searching this forum to no avail. Under Fedora 14, there is an selinux policy which blocks sshd from making outbound connections on port 80 or 443. This can occur when a client box tries to tunnel through the ssh connection for encrypted access to the web.
While I did manage to allow this happen by creating a permissive domain for sshd with this command:
The preferred way would be to allow sshd to make connection on other ports with a similar command that does not seem to work:
Is this the correct way of allowing an outbound port connection for the sshd daemon?
well after spending most of the morning getting help with my internet connection hanging when I dial up we discover that SELinux is causing it so when I set it to passive I can connect so how can I get it to allow me to connect while being set to enforcing?
I am at a loss how to prevent Denial of Service attacks to port 25 and not block legitimate connections from 2 Barracuda 800(s) and block smart phones such as iPhones/Blackberrys/iPhones that use the server smtp.server.com for email. Presently for port 25 RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
The 2 Barracuda 800(s) make port 25 connections all the time, plus users with smart_phones have the incoming server type: IMAP pop.server.com smtp.server.com
Is there a way to keep Denial of Service attacks from happening with iptables rules without causing blocking to the Barracuda(s) that make constant port 25 connections & smart phones that poll? I was thinking if I allowed the Barracuda(s) in these lines -s (barracuda)24.xx.xx.xx -d (emailserver)24.00.xx.xx -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
Where the source would be the Barracuda going to the email server. It would be allowed, then I am left with how to allow other connections like Smart_Phones that connect via Port 25. I am thinking if I put rules in place doing connection counts in a minute it would result in errors connecting to the server and people would start complaining. Plus any limiting may result in blocking real traffic. Then would I need to allow the ISP range in the above example to accept port 25, I am still left with how to drop a flood/denial of service attack.
I'v just installed wicd. I can't get it to sart, I get errors saying that wicd couldn't connect to it's dbus interface and the wicd deamon has shut down. Then there's a report from SELinux saying that it's preventing /usr/bin/python "write" access on /etc/dhcp/manager-settings.conf and that access is denied to wicd. I can get wicd to start if I su to root, but I'd like to not have to do that every time I boot. Is there a fix?
I have several Proxy severs set up at our business. I always do the same basic config, except for my version of Fedora (I always grab the newest).
I put 2 nics in a machine Load Squid, Dansguardian and Firestarter. I use Firestarter to direct the surfing traffic from my LAN out a cable modem that I have for each store. This lessons the bandwidth on the T1.
Easy enough. My problem is Firestarter has always been a little flaky. But as of F11 the gui wont stay up for more than a few minutes at a time. It still functions, but you have to be quick if your going to use it because it will inevitable crash.
So I suppose it's time to start doing this the correct way and using IP Tables. Does anybody have a resource they can point me to that will help me understand how to do this? It looks like this might be as simple as setting it up with the GUI Firewall tool that comes with F12 but I'm still not exactly sure how.
this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
I'm attempting to get MapServer running on my Fedora 13 computer. I was able to install with the package manager, and the executable (mapserv) was originally placed in /usr/sbin. But I need it in /var/www/cgi-bin to work on the webserver. So I copied the file to the right location. Unfortunately, it doesn't have the correct SELinux context. Here's the message from the troubleshooter:
SELinux denied access requested by /var/www/cgi-bin/mapserv. /var/www/cgi-bin/mapserv is mislabeled. /var/www/cgi-bin/mapserv default type is httpd_sys_script_exec_t, but its current type is httpd_sys_script_exec_t. Changing this file back to the default type, may fix your problem.
How's that for circular logic? Does anyone have an idea what the correct SELinux context for a cgi-bin executable might be?
Trying to keep selinux enabled. When I start SeLinux Troubleshooter from the menu, which is inautostart as well, It tells me SELinux not enabled, sealert will not run on nonSELinus systems".How do I get SELinux permanently started then
My newly installed Fedora-14 (64-bit) has SELinux disabled. I can't find any way to enable it. I tried to set it manually in /etc/selinux/config to enforcing or permissive but nothing happens after reboot. In GUI configuration tool it is set to disabled and grayed out so that there is no way to enable it there. Is there another way to enable SELinux?
I tried to log in to my xguest account and it asked for a password, which it shouldn't, so there's a problem with SELinux.When I type getenforce it says it is disabled, yet when I go to /etc/selinux and look at the config, it is in enforcing mode and not commented out, type is strict.When I go to the SELinux management GUI I can't change the current enforcing mode and it's set to disabled and default to enforcing.
since I upgraded to F15 I noticed that "su -l" is very slow, it takes about 20sec before it gives the prompt. I traced it down to a problem with "xauth" as su asks for the authorization for the display running "xauth nlist :0" which times out with an error. Actually, the command "xauth nlist :0" by itself gives: xauth: timeout in locking authority file /home/user/.kde/tmp-host.domain/xauth-200-_0
If I put SELinux in permissive mode both command work without problem so I suppose SEL is the problem. I checked the permissions and settings of the file which is "unconfined_u:object_r:config_home_t:s0" but I have no idea if this is the right value, running "restorecon" on the file, directory or the whole /home/user didn't change anything.
I get a SELinux relabel often even without changing stuff. SELinux troubleshoot doesn't show any error nor are there any messages in /log/messages that give any clue. Where should I look to see whats happening ?
I wonder if SELinux really are necessary for a home desktop ? It only makes my computer use more problematic than it already is. What can happend if I uninstall it on my Fedora 13 dist ? Is the hole Internet going to come in to my computer and destroy it ?
If I uninstall SELinux, is the firewall uninstalled also ?
I have recently upgraded from FC12 to FC13, and last week I updated all packages using YUM. The system is running as a VM inside CentOS 5.5 using KVM. SELinux is enforcing, using the targeted policy. Bugzilla is version 3.6.1 and was NOT installed using RPM or YUM.
Bugzilla was working OK on this machine until SELinux was upgraded last week from 3.7.19-28 to 3.7.19-33, and is still broken after testing 3.7.19-37 from the testing repo. With SELinux in enforcing mode, apache returns error 500 when I browse to the main bugzilla page. The apache error log shows this:-
Code: [Mon Jul 19 13:15:08 2010] [error] [client 192.168.40.1] (13)Permission denied: exec of '/var/www/html/bugzilla/index.cgi' failed Nothing, and I mean absolutely nothing, is recorded in /var/log/audit/audit.log, /var/log/messages or /var/log/secure.
I just install Fedora 15 and I see the SELinux Policy Genertation Tool and the SELinux Administration application in the app launcher but I do not see the SELinux Troubleshooter app. I seems to be missing. How do I get it on my system?
I need to change SELinux policy to permissive and then back to enforced for an installation. I understand that I should be able to do that through the SELinux Administration window accessed through System -> Administration ->SELinux Management. But I do not have any real sysadmin tools available in my Fedora 15 Gnome Gui interface. Am I missing something, or should I use some sort of similar command line tool to do this?
I installed Fedora to a desktop with a hardwire ethernet connection to my router. When I ran the live CD it connected fine. When I boot now I have no connection, and when I try to connect I get this "AVC Denial" message and some mumbojumbo about SELinux is preventing nm-dhcp-client to read libdbus-glib blah blah blah. The troubleshooter app is no help to me at all. This is extremely frustrating. A couple of weeks ago I did an install to this same computer and had no problem at all. The only difference is that this time I wiped all of my old distros from the HD, and made separate /, /var, /boot, /tmp, and /usr partitions (in addition to the old /home partition which I kept.) I don't know how that could be causing this problem, but it's the only thing different about this install. Should I just go back to putting everything but /home on one partition?