Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [selinux]

NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control architecture in the Linux operating system.

The SELinux architecture provides general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role- Based Access Control, and Multi-Level Security. Background information and technical documentation about SELinux can be found at http://www.nsa.gov/selinux.

681 questions
5
votes
2 answers

Vsftpd passive reply with 0,0,0,0 address even with correct pasv_address

I have the following config in vsftpd listen_ipv6=YES allow_writeable_chroot=YES seccomp_sandbox=NO pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES pasv_enable=YES pasv_min_port=1024 pasv_max_port=1048 pasv_address=
Vic85
  • 83
  • 1
  • 3
5
votes
1 answer

Unable to start Redis under SELinux

I having a rather persistent issue with my Redis instance. While SELinux is in enforcing mode, Redis server is unable to start: [root@server ~]# service redis start Starting redis-server: [ OK ] But in fact, it…
Jovan Perovic
  • 143
  • 2
  • 3
  • 14
5
votes
0 answers

What SELinux type should I apply on my Unix socket?

I have a Gunicorn socket file: /opt/rtd/gunicorn/run.sock. I need nginx to be able to open this socket and write to it. When I run sesearch --allow -s httpd_t | grep unix_stream_socket I noticed that httpd_t is allowed to connect to sockets of type…
Christoffer Reijer
  • 417
  • 1
  • 4
  • 16
5
votes
1 answer

Unable to enable custom SELinux rule

logrotate is unable to rotate a log file for our application on CentOS 7. This appears to be because of this AVC error: type=AVC msg=audit(1441112694.305:19502): avc: denied { write } for pid=9146 comm="logrotate" name="autuitive.log" dev="xvda1"…
Soviero
  • 4,366
  • 8
  • 36
  • 60
5
votes
3 answers

How to disable SELINUX for systemd script?

I have a systemd script in CentOS 7 which doesn't run properly unless I disable SELINUX. Is it possible to somehow have SELINUX enabled on the system but disable it only for this systemd script? The systemd script: [Unit] Description=Tractor Blade…
fredrik
  • 731
  • 15
  • 20
5
votes
1 answer

SE Linux - can't change SELinux booleans with sudo

I think this is the correct place to put this, rather than in StackOverflow Either way, we have a CentOS 6.6 server. SElinux isn't allowing us to enable httpd_can_sendmail I've tried this.... sudo setsebool -P httpd_can_sendmail on I then get…
adprocas
  • 153
  • 1
  • 6
5
votes
1 answer

Unable to re-enable SELinux

Up until now we have disabled SELinux as our Standard Operating Procedure -- before you tell me off, I know. That's why we're enabling it now we've got time to. Our normal procedure was to: Set SELINUX=disabled in /etc/selinux/config Add selinux=0…
fukawi2
  • 5,396
  • 3
  • 32
  • 51
5
votes
1 answer

SELinux for RHEL not persistant after reboot

So in the Red Hat exam they want you to use SELinux. If for example you install vsftp, then do setsebool -P ftp_home_dir=1 or setsebool -P ftp_home_dir on to allow the users on the server to access the home directories. Then do a reboot I notice the…
user3571487
  • 53
  • 1
  • 4
5
votes
6 answers

Linux distributions without selinux

Are there linux distros without selinux portion in kernel? Sorry if that's dumb question ;), but my distro (debian) has it and i see that it's in kernel on kernel.org so i was wondering if it's so popular that every distro has it or some delete…
Phil
  • 1,969
  • 6
  • 29
  • 33
5
votes
2 answers

RHEL SELinux blocking Apache access to PostgreSQL

I'm running a Django app that uses PostgreSQL. The server is running RHEL 6.5 with SELinux. I'm having an issue where the Django app can't connect to the DB, and I think it's because SELinux is blocking it. Here's the error I'm seeing in…
Geoff
  • 171
  • 1
  • 8
5
votes
2 answers

sftp gives permission denied only when chrooted?

I have configured sshd_conf on my centos box as below: Match group pilots ChrootDirectory /home/pilots ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no and the directory /home/pilots like this: # ls -al /home/pilots total…
ibrewster
  • 387
  • 1
  • 4
  • 16
5
votes
3 answers

How to configure SELinux to allow specific services to communicate with Avahi?

I have a service, running on a Fedora 20 machine, that when started attempts to register services with Avahi. This works perfectly if my service is started while SELinux is in permissive mode, but the service will not register when SELinux is…
Louis Daprato
  • 53
  • 1
  • 1
  • 4
5
votes
2 answers

SELinux: denied { execute } for pid=2174 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3"

I have problem with SELinux. setroubleshoot suggested to enable mypol.pp with semodule -i mypol.pp so apache could run. after I run the suggested command, I'm keep getting: type=AVC msg=audit(1388119964.806:11): avc: denied { execute } for …
Orlo
  • 231
  • 1
  • 3
  • 11
5
votes
1 answer

SELinux: How to add a new security context?

I'm new to SELinux and am trying to add a new security context (label) to test denial. To do this, I try changing a filew to a new context: chcon -t new_t test But it fails with "Invalid argument". How do I add the new type "new_t"?
lairtech
  • 417
  • 7
  • 13
5
votes
2 answers

selinux disabled, but still enforcing?

I have some systems where, for various reasons, we want to completely disable selinux. To date, this has worked like a champ, with always using selinux=0 in the kickstarts and ensuring that /etc/sysconfig/selinux contains: SELINUX=disabled But as…
wortmanb
  • 183
  • 3
  • 9
1 2 3
45 46