Questions tagged [selinux]
NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control architecture in the Linux operating system.
685
questions
1
vote
4
answers
164
views
Ngnix can't write socket file due to SELinux
When setting up nginx with a socket on my newer environment that runs SELinux I am getting the following error:
AVC avc: denied { write } for pid=23704 comm="nginx" name="xxx.sock&...
- 111
1
vote
0
answers
59
views
How to inspect the rules in a policy module?
I know I can use semodule -l to see what modules I have. However, I want to see the rules contained in a specific module.
I read almost all document I can find for semodule, seinfo, sesearch. I cannot ...
- 318
0
votes
0
answers
73
views
SELinux silently blocking PHP process listing
I have a system where we use PHP to run some rudimentary health checks on the server. When hitting a status page, it verifies that certain processes are running, and returns an error message if ...
- 383
1
vote
2
answers
307
views
SELinux blocking nginx -t
I'm setting up Rocky Linux and I've run into this error:
sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission ...
- 13
0
votes
1
answer
103
views
Does SELinux allow the apache user to read /etc/passwd file?
I was experimenting and learning SELinux on Alma Linux 9.2. The intention was to build a flask application that has a file inclusion vulnerability and show how SELinux can prevent the vulnerability to ...
- 111
0
votes
0
answers
117
views
SELinux on RHEL8 with Gunicorn and nginx has problems with saving file into diretory
I have Django application running on RHEL8 via Gunicorn and nginx. All works fine in case of testing with SELinux disabled. When I enable SELinux, there is a problem with saving the picture from ...
- 1
1
vote
0
answers
54
views
Incorrect SELinux labeling of mysql unix socket on Centos7
OS:
# rpm -q centos-release
centos-release-7-9.2009.1.el7.centos.x86_64
I'm trying to get zabbix-agent to access mysqld (using mysqladmin ping), but the process fails with the following errors(in ...
- 1,873
7
votes
2
answers
948
views
How to log executions of specific commands on Linux no matter where it came from?
Dangerous commands like rm , kill and systemctl stop can be hidden outside bash inputs - i.e. - a malicious user can easily hide them inside a python script using os module and just run the python ...
- 540
0
votes
0
answers
90
views
Protecting a Linux against root users
I'm searching for a way to "protect" a Linux operating system against (root) users that can potentially misbehave.
My threat model is the one of university students, having access to root ...
0
votes
2
answers
171
views
Can mount on /mnt but not on other mount point, why?
this is an RHEL8 VM. I'm trying to mount a logical volume on /var (because I need more space). For now I have created a directory /xvar to mount on, but it doesn't work and doesn't show an error. ...
- 193
0
votes
1
answer
113
views
Remote call of NRPE comman fails in one case, while succeeding locally in all
I have amazingly strange issue with monitoring a CIFS (SMB) shared folder mounted to Linux machines by Nagios + NRPE.
NRPE process runs on the Linux machines under dedicated user nrpe:
# systemctl ...
- 155
1
vote
0
answers
35
views
Cannot create SPEC file with sepolicy-generate
In EL7 I have been creating custom policy with sepolicy-generate and one of the artefacts created is a SPEC file. When I run the same command on EL8 I don't get the SPEC file. According to the manpage ...
- 21
0
votes
1
answer
291
views
SELinux policys keeping Tomcat from starting
On a newly built Oracle Linux 8 server i added a drive and file system, then put put Apache Tomcat on that file system via the tarball. Now when starting Tomcat via a services file, I get an error ...
- 29
1
vote
1
answer
118
views
Error while customizing selinux policy for domain
I am following the steps outlined under this link to customize selinux policy for specific domains (types).
For the domain systemd_tmpfiles_t, I get the following suggestion from audit2allow for a ...
- 113
0
votes
0
answers
266
views
How to sudo using SELinux? The example given in the Red Hat security document isn't working for me
Following the instructions at: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-...
0
votes
0
answers
421
views
SELinux is preventing /usr/bin/mongod from search access
My question is similar to others, such as SELinux preventing mongod search access. In this case, I installed snapd for a reason entirely unrelated to Mongodb. That was about a week ago (2/5/2023). ...
0
votes
0
answers
190
views
selinux file context precendence, logrotate and httpd
UPDATE:
figured out the issue, its with my fcontext path expression
I have to use
semanage fcontext -a -t logrotate_tmp_t "/etc/httpd/logs(./*)?"
instead of
semanage fcontext -a -t ...
0
votes
0
answers
490
views
Remote side unexpectedly closed network connection RHEL 7.9
I have a situation where a rhel server becomes inaccessible using AD accounts but lets a local account to login. We are using a PAM tool that serves as our AD broker that enables us to login with AD ...
3
votes
2
answers
276
views
Dedicated user vs selinux
What are the advantages and disadvantages of running a process with a dedicated (non root) user versus with SELinux (where a SE user may be bound to a Linux user) ?
- 133
0
votes
1
answer
120
views
How to set Apache-accessible SELinux policy for EFS mounted user directories?
When I mount my EFS to a user directory, the directory policy becomes system_u:object_r:nfs_t:s0, which is too restrictive - I need it to behave more like a typical user directory, which is ...
- 111
3
votes
1
answer
718
views
SELinux is preventing in:imjournal from unlink accesses on the file imjournal.state
I have a problem on Fedora 36 with rsyslog, selinux and /var/log/messages components.
As you can see:
AVC avc: denied { unlink } for pid=XXX comm="in:imjournal" name="imjournal.state&...
- 31
0
votes
0
answers
1k
views
Jboss as a service failing on OS Reboot RHEL8
0
I am facing some issues while running Jboss as a service on RHEL8 servers. The setup of service is done in a standard way as per the RHEL guidelines
https://access.redhat.com/documentation/en-us/...
- 1
1
vote
0
answers
2k
views
Podman is unable to start container with SELinux (sd-bus call permission error)
Here is the command I am using to start the container:
podman run -d --name busybox-top -v ./src:/dest:Z busybox top
Error:
Error: sd-bus call: Permission denied: OCI permission denied
I do not have ...
- 947
0
votes
1
answer
161
views
DB2 systemd startup
I have a DB2 systemd startup unit that is being denied by SELinux. Here is the unit:
[Unit]
Description=IBM DB2
After=network.service
[Service]
Type=forking
EnvironmentFile=/user/home/dvdxadm1/sqllib/...
- 18
2
votes
1
answer
1k
views
Timedatectl "Failed to parse bus message: Connection timed out" with systemd ExecPreStart while SELinux is enforcing
Using Oracle Linux 8.6 we're having an issue with timedatectl but only when it's run by systemd(239-58.0.1.el8_6.3) during ExecStartPre in a .service definition file and SELinux is set to Enforcing.
...
- 143
2
votes
3
answers
3k
views
Postfix master.pid ExecStartPre with exit status 255
When I restart the Postfix daemon on my Rockylinux server, It happen an restorecon error who don't avoid the starting of the service but still an error :
● postfix.service - Postfix Mail Transport ...
- 21
1
vote
1
answer
66
views
Is there such a tool on CentOS/SELinux to monitor incoming HTTP/HTTPS traffic the way Ngrok displays it?
I really love how ngrok displays the incoming connections to a server with the response. Is there such a tool (either to install or native) on CentOS/SELinux that would display some info? I found a ...
- 113
0
votes
1
answer
477
views
cannot boot unless Selinux is disabled
The system fails to boot due to mount failure. I've traced it back to selinux since I can hold shift and edit the grub cmd to read selinux=0, but interestingly enough if I try permissive mode, ...
1
vote
1
answer
234
views
How to adjust SELinux to allow not so large file downloads in Apache?
I have a centos 7 server running Apache 2.4 that will happily allow users to download files until they get to a certain size. I've noticed the problem with mp4 video files; I host both low and full ...
- 11
0
votes
1
answer
1k
views
How to set SELINUX HTTPD User Content RW?
I'm quite new to SELINUX, I've simple question, I know there are httpd_sys_rw_content_t for /var/www/html, and read only httpd_user_content_t, but if I want to allow some folder to be RW for that ...
- 113
0
votes
1
answer
2k
views
Ubuntu 20.04 doesn't boot after setting SELinux enforcing
I'm trying to set SELinux to enforcing on Ubuntu 20.04, and the steps I did are as follow:
Install SELinux = sudo apt-get install policycoreutils selinux-utils selinux-basics -y
Activate SELinux = ...
- 1
1
vote
2
answers
1k
views
How to allow user to run only specific binaries
I'm adding user logviewer with /sbin/nologin/ and to my system.
My custom service is running eg. sudo -u logviewer less --follow-name /var/log/messages.
But still there are ways to run other command ...
- 121
1
vote
1
answer
2k
views
Unable to change SSH port on Almalinux/CentOS 8 with selinux present
I am trying to change the SSH port on a VPS using Almalinux. I followed this guide but have not been able to.
These are the output I receive when try to SSH using both 22 and the new port respectively....
- 115
0
votes
1
answer
440
views
Centos7 Httpd cannot access mounted cifs directory
In a Centos 7 server I have a directory mounted with autofs in /mnt/cifs-shares/cone_files. I can read those files without issues.
The directory /mnt/cifs-shares/cone_files is owned by apache:apache ...
- 327
1
vote
1
answer
2k
views
SELinux preventing mongod search access
I noticed I am getting some SELinux errors when running mongod for the UniFi controller program. Namely, I am getting:
SELinux is preventing /usr/bin/mongod from search access on the directory /.
...
- 11
1
vote
0
answers
76
views
SELinux: two servers, identical configurations, but different contexts
I've had my fair share of struggles with SELinux, but this is the first time that it's totally stumped me. I have two production CentOS 8 servers with functionally identical configurations hosting a ...
- 111
0
votes
1
answer
685
views
How to set SELinux boolean using custom policy?
I know that SElinux booleans can be set via setsebool like this:
setsebool -P virt_qemu_ga_read_nonsecurity_files 1
But I want to set this boolean virt_qemu_ga_read_nonsecurity_files using custom ...
- 639
0
votes
1
answer
915
views
Allow samba share to access mounted remote file store
I have two servers on the same network. One running Windows Server 2016 and another running CentOS 8. The Windows server is my main file store, it's where all my data is. The CentOS server has the ...
- 211
1
vote
0
answers
3k
views
Samba/Winbind domain member authentication issue
In setting up a new Linux Samba fileserver as a AD member I keep running into an issue with authentication.
It appears to be triggered by running with selinux in Enforcing mode after joining AD, but ...
- 11
1
vote
1
answer
568
views
On Fedora, how do I configure selinux to allow a port for a new undefined service type?
I have several things that I'd like to be able to stand up as servers on Fedora. I know I can run at least some of these in podman or docker but I already know how to do that. I also already know how ...
- 113
0
votes
1
answer
76
views
Which protections can I use on the server
I have read about server protection and I know how to work with fewalld protection because it is not demanding.
My question is:
Which of the following protections is best for the server and which of ...
- 17
0
votes
1
answer
1k
views
Why there are SELinux errors in permissive mode?
I have set CentOS 8 Stream with SELinux set to permissive but I still have bunch of red lines in the log e.g.:
SELinux is preventing /usr/lib/systemd/systemd from name_connect access on the tcp_socket ...
- 752
0
votes
1
answer
561
views
VNC server won't start on AlmaLinux/CentOS 8
I could not get tigervnc to start on my AlmaLinux 8 machine. We have SELinux enabled and our home directories are automounted NFS shares (configured by IPA).
I see errors in my /var/log/audit/audit....
- 51
1
vote
1
answer
2k
views
Where do I get full list of SELinux access control types?
I cant find any explanation how do I list all access control types in SELinux.
E.g. httpd_log_t httpd_sys_content_t..
I would like to see them all
- 752
0
votes
2
answers
287
views
CentOS8 Stream - what is security context in files permissions and how it can affect access?
I did install some of my aspnet core apps on Linux before using CentOS8. This time I used CentOS8-Stream. I dont know if that contributes to the issue.
The facts:
I could not make apache use ...
- 752
0
votes
1
answer
93
views
SELINUX : How to make child folder rule precedence higher than parent rule
SELINUX : How to make child folder rule precedence higher than parent rule
eg :
/home/kevinw/www/kp/storage(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
lost ...
- 113
1
vote
0
answers
526
views
How to set SELinux to allow CGI script to create a file
I'm writing a CGI for httpd on CentOS 7, which create and write files on a directory under home.
When I enable SELinux, it causes Internal Server Error. How can I setup SELinux?
The command sudo ...
- 123
0
votes
1
answer
239
views
SELinux prevent connection clamd_port_t:tcp_socket
We have API Server (tomcat) which has clamAV configuration to scan any uploaded file to the system.
clamAV configuration will require the API server to connect to clamAV server.
SELinux is enabled on ...
0
votes
0
answers
428
views
Tenable su+sudo and selinux
My Not-A-Sysadmin-Boss wants me to explain this but I can't really find an answer? When using TENABLE SC to scan a RHEL7 system the account used to do the scan connects via ssh then uses sudo to ...
- 65
0
votes
1
answer
531
views
SELinux Issue - git status fatal: Out of memory? mmap failed: Permission denied
I have Centos 7.9 server running with Apache and Git, however if I do a
[root@a]# git status
fatal: Out of memory? mmap failed: Permission denied
But if Disable or Permissive the SE-Linux via below ...
- 4,382