Not keen on blindly fixing
things so I want to know what I need to do and why before I do it.
Thanks in anticipation,
Robert Sharp
omething I should have. I cannot provide more details
about what was happening at the time, other than in the audit snippets
above - it was the middle of a lengthy update process.
Thanks,
Robert Sharp
On 23/11/16 14:37, Jason Zaman wrote:
Are you on ~arch or stable? did you just upgrade to the 2.6 userland?
What versions do you have installed of these:
sys-libs/libsepol
sys-libs/libselinux
sys-libs/libsemanage
sys-apps/checkpolicy
sys-apps/policycoreutils
dev-python/sepolgen
app-admin/setools
On 23/11/16 15:58, Jason Zaman wrote:
Either is fine, but im probably just gonna stabilize the 2.6 userspace
in a couple weeks so that one is likely easier. and setools4 is waaay
better than 3. The important point is that you dont want to have both
policy.29 and policy.30 around. Then you get we
On 23/11/16 16:59, Robert Sharp wrote:
On 23/11/16 15:58, Jason Zaman wrote:
Either is fine, but im probably just gonna stabilize the 2.6 userspace
in a couple weeks so that one is likely easier. and setools4 is waaay
better than 3. The important point is that you dont want to have both
policy
On 23/11/16 17:30, Jason Zaman wrote:
On Wed, Nov 23, 2016 at 05:20:59PM +, Robert Sharp wrote:
On 23/11/16 16:59, Robert Sharp wrote:
On 23/11/16 15:58, Jason Zaman wrote:
Either is fine, but im probably just gonna stabilize the 2.6 userspace
in a couple weeks so that one is likely
On 24/11/16 17:07, Jason Zaman wrote:
That warning is harmless, i'll remove the line from the policy later.
for now ignore it or manually remove the line to silence the warning.
http://blog.perfinion.com/2016/10/selinux-userspace-26-released/
Sorry Jason, but I am not making much progress. I ha
route to go.
Does anyone have any views about the best way to proceed or whether to
do this at all?
Thanks
Robert Sharp
On 25/11/16 11:51, Jason Zaman wrote:
Ideally, rkhunter should just have a policy.
It would need something like: cron_system_entry(rkhunter_t, rkhunter_exec_t)
If you wanted to write one, basing it off the aide policy would probably
help.
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree
right domain?
Mongo has a policy but the only interface is admin. All I need to do
locally is connect to the port. Can I use "portcon" in a policy to do
this or do I need to do something else?
Thanks,
Robert Sharp
On 01/12/16 15:31, Jason Zaman wrote:
On Thu, Dec 01, 2016 at 10:24:21AM +, Robert Sharp wrote:
Hi,
I've looked at the Gentoo SELinux web pages etc, the SELinux Handbook
and through the Reference Policy and I cannot find the answer to a
simple question.
I am writing a small policy f
On 03/12/16 10:16, Sven Vermeulen wrote:
On Fri, Dec 02, 2016 at 12:05:50PM +, Robert Sharp wrote:
Mongo uses tcp on port 27017 and there is nothing defined for this in
the core policy. There is a mongodb policy in contrib but it uses
corenet_all_recvfrom_unlabeled
ix_postdrop_t and
allow it to access ddclient_t etc, but that would violate the rules, so
either the postdrop interface is wrong or perhaps I should be doing this
without a domain transition. That is how I started out and I had a whole
lot more AVCs that are fixed by the transition, so I am tending towards
the postdrop interface being not quite right?
Any views would be very much appreciated.
Best wishes,
Robert Sharp
just
raised here?
Robert Sharp
On 10/12/16 06:19, Jason Zaman wrote:
On 9 Dec 2016 16:29, "Robert Sharp" <mailto:seli...@sharp.homelinux.org>> wrote:
Just updated all my SELinux policies to 20161023-r1 as they are
now stable, which undid one little fix, so I thought I would
mention it.
On 12/12/16 20:03, Sven Vermeulen wrote:
It's been a while that I did some Postfix work, which might be necessary to
debug this properly. The socket is owned by ddclient, is it possible that
"postdrop -r" input and/or output is redirected to a ddclient socket? From a
quick Google ddclient is show
, and looking at the existing permissions:
> allow portage_sandbox_t portage_tmpfs_t:dir { search read lock
getattr write ioctl remove_name open add_name };
suggests that it does not have the necessary permissions (e.g. create)?
Thanks
Robert Sharp
On 14/12/16 10:44, Robert Sharp wrote:
On 12/12/16 20:03, Sven Vermeulen wrote:
It's been a while that I did some Postfix work, which might be necessary to
debug this properly. The socket is owned by ddclient, is it possible that
"postdrop -r" input and/or output is redirecte
cannot figure this out I suspect I will be ditching
pam_selinux and reverting to explicitly issuing newrole. I guess with
strict on I will quickly be reminded that I have forgotten to change
roles anyway.
Thanks in advance,
Robert Sharp
ms that this behaviour started
on 11th Jan, when I updated sec-policy/selinux-base-policy to
2.20161023-r3. So either something got reset that I need to change, I
haven't restarted something or there is some sort of error in the cron
policy that is causing this?
Any ideas?
Thanks - Robert Sharp
On 31/01/17 03:48, Jason Zaman wrote:
As a workaround, you can
echo "system_u:system_u:s0-s0:c0.c1023" >> /etc/selinux/mcs/seusers
you cant use semanage to add it since system_u isnt a valid user, and
you'll have to re-add that after loading modules since the file is
re-generated.
after adding th
patch -p1 failed with
/usr/portage/app-admin/setools/files/setools-4.0.1-remove-gui.patch
Quick google suggests the patch does not match the source file? Perhaps
most people have the X flag enabled and have not met this yet? I can
provide full details if this is not as simple as I think.
Thanks
Robert Sharp
On 05/02/17 05:19, Jason Zaman wrote:
On Fri, Feb 03, 2017 at 02:54:28PM +, Robert Sharp wrote:
Hi,
just emerged the new setools-4.1.0 and it falls over. I do not have X on
this machine and it seems to fail when patching to remove the gui? Here
are the details.
I fixed it yesterday, re
rence?
Thanks in advance,
Robert Sharp
On 16/04/17 14:31, Jason Zaman wrote:
On Thu, Apr 13, 2017 at 12:02:24PM +0100, Robert Sharp wrote:
Is there a difference between policies that appear to be in core but
also have their own ebuilds? For example: selinux-ddclient versus
policy/modules/contrib/dnsmasq.* and selinux-ddclient versus
am not sure everyone else on the LAN will be too keen.
Any thoughts welcome
Robert Sharp
I have been enforcingon my SELinux box for a while without incident,
until yesterday. Ddclient started spamming me with emails about SSL
connect failures. I checked the audit log for AVCs and found the one
below. The context for /etc/ssl/certs/ca-certificates is cert_t and it
looks like the int
On 17/06/17 11:47, Sven Vermeulen wrote:
I generally try to make sure that it is the right domain before adding the
privilege. In the denial, the command that is being denied access is
"ca-certificates". Is that a script from ddclient, or does ddclient trigger
an (external) script and should we p
On 18/06/17 17:29, Sven Vermeulen wrote:
It's okay to use it. Manipulating the directory seems to be something I
would want to verify with the application itself first. If it is a Perl
script, then it might be easy to find out why.
Looking at the error messages and the script itself the problem
provide more info later if it would be helpful?
Robert Sharp
On 16/08/17 11:09, Francisco Blas Izquierdo Riera (klondike) wrote:
El 16/08/17 a las 09:40, Marek Szuba escribió:
Two tiny bits of formal nitpicking from my side:
- it's "grsecurity" (not a typo, they do use a lowercase g except when
the name appears at the beginning of a sentence), not "grse
es:
MISSING="berkdb gdbm tcpd ptpax session dri urandom"
Is this a deliberate change or are they actually missing?
Thanks,
Robert Sharp
On 15/12/17 14:49, Michael Orlitzky wrote:
On 12/15/2017 06:09 AM, Robert Sharp wrote:
MISSING="berkdb gdbm tcpd ptpax session dri urandom"
Is this a deliberate change or are they actually missing?
These are all intentional, but perhaps with an unintended side effect.
The def
reverse out of.
Does anyone know of a good, post GRSecurity guide to reasonable security
for the kernel? In the absence of anything else I will have to go back
to the KSPP list and start removing stuff until I can get a stable kernel.
Thanks in advance,
Robert Sharp
3...@gmail.com>> wrote:
On Wed, Mar 28, 2018 at 12:40 PM, Alex Efros <mailto:power...@powerman.name>> wrote:
Hi!
On Wed, Mar 28, 2018 at 06:06:00PM +0100, Robert Sharp wrote:
Does anyone know of a good, post GRSecurity guide to reasonable
security
for the kernel? In the absence of
On 30/03/18 17:55, R0b0t1 wrote:
Is there any way for you to try again while presenting yourself as a
business? In some jurisdictions saying you are a business is all it
takes to start a sole proprietorship. Otherwise, just pretend you are
affiliated with a (legally fictional) business.
Its mor
36 matches
Mail list logo