ms=2 ppid=20592 pid=20593 auid=0 uid=109 gid=65534 euid=109
> suid=109 fsuid=109 egid=65534 sg
> id=65534 fsgid=65534 tty=pts1 ses=1 comm="dpkg" exe="/usr/bin/dpkg"
> subj=root:sysadm_r:apt_t:s0-s0:c0.c1023 key=(null)
> type=SELINUX_ERR msg=audit(1509791421.220:2221
0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1509791421.220:2221):
op=security_bounded_transition seresult=denied
oldcontext=root:sysadm_r:apt_t:s0-s0:c0.c1023
newcontext=root:sysadm_r:dpkg_t:s0-s0:c0.c1023
type=AVC msg=audit(1509791421.220:2221): avc: denied {
nnp_transition } for pid=205
ausearch -m SELINUX_ERR,AVC -ts recent
> > time->Mon May 22 15:03:56 2017
> > type=PROCTITLE msg=audit(1495479836.876:5483):
> > proctitle=2F62696E2F7368002F7661722F772F6367692D62696E2F666F6F2
> > E6
> > 36
> > 769
> > type=PATH msg=audit(14954798
tem=0 name="/var/www/cgi-
bin/foo.cgi" inode=538621 dev=fd:01 mode=0100755 ouid=0 ogid=0
rdev=00:00 obj=unconfined_u:object_r:httpd_sys_script_exec_t:s0
nametype=NORMAL
type=CWD msg=audit(1495479836.876:5483): cwd="/var/www/cgi-bin"
type=EXECVE msg=audit(1495479836.876:5483): a
On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> On Mon, May 22, 2017 at 11:23 AM, Dominick Grift com> wrote:
> > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > > Hi, running latest
#
>> > ###
>> > # With enforcement enabled ... CGI script fails, all you find is a
>> > # single deny in /var/log/audit/audit.log
>> > #
>> > ###
>> >
>> > # sete
url localhost/cgi-bin/ok.cgi
> > > OK
> > >
> > >
> > > #
> > > ###
> > > # With enforcement enabled ... CGI script fails, all you find is a
> > > # single deny in /var/log/audit/au
On Mon, 2017-05-22 at 20:23 +0200, Dominick Grift wrote:
> On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> > > related
> > > to Apache httpd that I
#
> > ###
> >
> > # setenforce 1
> > # systemctl restart httpd.service
> >
> > # getenforce
> > Enforcing
> >
> > $ curl localhost/cgi-bin/ok.cgi
> > 500 Server ErrorServer
> > Er
> #
> ###
>
> # setenforce 1
> # systemctl restart httpd.service
>
> # getenforce
> Enforcing
>
> $ curl localhost/cgi-bin/ok.cgi
> 500 Server ErrorServer
> Error
>
> # tail /v
be safe ... no luck ... same problem as before, same
> message in /var/log/audit/audit.log. Also tried changing the value from
> "Yes" to "No" and rebooting, that didn't help.
Yes that only applies to systemd-importd (which i suppose no one uses at least
not w
.
$ curl localhost/cgi-bin/ok.cgi
500 Server ErrorServer
Error
# tail /var/log/audit/audit.log | grep denied
type=SELINUX_ERR msg=audit(1495473331.188:183):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:httpd_t:s0
newcontext=system_u:system_r:httpd_sys_script_t:s0
Confirmed I do
##
> # With enforcement enabled ... CGI script fails, all you find is a
> # single deny in /var/log/audit/audit.log
>
>
> # setenforce 1
> # systemctl restart httpd.service
>
> # getenforce
> Enforcing
>
> $ curl localhost/cgi-bin/ok.cgi
>
/audit.log
# setenforce 1
# systemctl restart httpd.service
# getenforce
Enforcing
$ curl localhost/cgi-bin/ok.cgi
500 Server ErrorServer
Error
# tail /var/log/audit/audit.log | grep denied
type=SELINUX_ERR msg=audit(1495468154.591:121695):
op=security_bounded_
On Wed, Apr 05, 2017 at 10:54:08AM -0400, Stephen Smalley wrote:
> On Wed, 2017-04-05 at 14:58 +0200, cgzones wrote:
> > Hi list,
> >
> > when running `apt update` i'm getting a bunch of the following
> > security_bounded_transition audits:
> >
> > type=PR
On Wed, 2017-04-05 at 14:58 +0200, cgzones wrote:
> Hi list,
>
> when running `apt update` i'm getting a bunch of the following
> security_bounded_transition audits:
>
> type=PROCTITLE msg=audit(05/04/17 14:47:20.268:219) :
> proctitle=/usr/bin/dpkg --print-foreign-architec
Hi list,
when running `apt update` i'm getting a bunch of the following
security_bounded_transition audits:
type=PROCTITLE msg=audit(05/04/17 14:47:20.268:219) :
proctitle=/usr/bin/dpkg --print-foreign-architectures
type=PATH msg=audit(05/04/17 14:47:20.268:219) : item=1
name=/lib64/ld-linux-x86
> > However the transition fails with audit message
> > "op=security_bounded_transition result=denied oldcontext=old_context
> > newcontext=new_context".
> >
> > Is there any policy rule that could be used to fix this or is this just not
> > suppor
ge-
> From: Dominick Grift [mailto:dac.overr...@gmail.com]
> Sent: 18 December, 2015 12:45
> To: Hannu Savolainen; selinux@tycho.nsa.gov
> Subject: Re: security_bounded_transition fails
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On Fri, Dec 18, 2015 at 1
that it will create a chrooted container and join all threads to a new
SELinux context.
However the transition fails with audit message "op=security_bounded_transition
result=denied oldcontext=old_context newcontext=new_context".
Is there any policy rule that could be used to fix this or is
On 12/18/2015 10:05 AM, Dominick Grift wrote:
On Fri, Dec 18, 2015 at 11:27:13AM +, Hannu Savolainen wrote:
Many thanks,
Adding the allow rules seem to be enough (have to verify that one more time
next week). Fortunately the typebounds rule doesn't seem to be necessary since
it
21 matches
Mail list logo