All Questions
175
questions
1
vote
1
answer
2k
views
Unable to change SSH port on Almalinux/CentOS 8 with selinux present
I am trying to change the SSH port on a VPS using Almalinux. I followed this guide but have not been able to.
These are the output I receive when try to SSH using both 22 and the new port respectively....
0
votes
1
answer
1k
views
Allow samba share to access mounted remote file store
I have two servers on the same network. One running Windows Server 2016 and another running CentOS 8. The Windows server is my main file store, it's where all my data is. The CentOS server has the ...
1
vote
1
answer
726
views
On Fedora, how do I configure selinux to allow a port for a new undefined service type?
I have several things that I'd like to be able to stand up as servers on Fedora. I know I can run at least some of these in podman or docker but I already know how to do that. I also already know how ...
0
votes
1
answer
110
views
SELINUX : How to make child folder rule precedence higher than parent rule
SELINUX : How to make child folder rule precedence higher than parent rule
eg :
/home/kevinw/www/kp/storage(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
lost ...
0
votes
1
answer
741
views
SELinux Issue - git status fatal: Out of memory? mmap failed: Permission denied
I have Centos 7.9 server running with Apache and Git, however if I do a
[root@a]# git status
fatal: Out of memory? mmap failed: Permission denied
But if Disable or Permissive the SE-Linux via below ...
2
votes
2
answers
2k
views
SELinux - blocks postfix emails sending out from the Web Application
My System environment, is Centos-7.9, Apache2.4, Php-fpm, PHP-7.4
I have postfix setup to send emails from the website, which is working in stand-alone test emails and when I turn the SELinux off.
...
1
vote
1
answer
484
views
Permission denied for gitweb.cgi on CentOS
I've set up gitweb on my web server. I have created projects on the server. I can add commits to them and also clone them remotely.
The gitweb "homepage" does display and the static files ...
1
vote
0
answers
216
views
selinux - why can't stuff_u with sysadm_r run postsuper?
I am trying to understand how selinux confined users really work, but there are a few behaviours that I still can not understand.
According to redhat
SELinux User Capabilities
stuff_u users should be ...
0
votes
1
answer
223
views
Unable to update to Wordpress 5.7.2: Could not copy file
I'm trying to update to the latest (5.7.2) version of Wordpress from a fresh installation on CentOS 7, however I keep getting the error message
Could not copy file.: wp-admin/images/about-color-...
3
votes
0
answers
450
views
CentOS Linux 8 freezes when changing SELinux Booleans (setsebool)
Problem
Various CentOS Linux 8 servers freeze/hang when changing SELinux Booleans.
Details and research
We manage hundreds of CentOS Linux servers. Lately we see deviant behavior on some (but not all) ...
2
votes
1
answer
989
views
SELinux setting httpd_can_network_relay to on throws error, "could not convert system_u:object_r:systemd_sleep_exec_t:s0 to sid". How is this fixed?
Environment: Digital Ocean Droplet, CentOS 8
The State of httpd_can_network_relay is set to on. However the Default is set to off.
$ sudo semanage boolean -l | grep httpd_can_network_relay
...
1
vote
1
answer
23k
views
selinux what are the differences between setenforce 0 to permanent selinux
regarding to selinux and according to some Hadoop recommendation selinux must be disabled
about selinux - more info in https://www.ibm.com/support/knowledgecenter/STXKQY_BDA_SHR/bl1bda_selinux.htm
we ...
0
votes
1
answer
3k
views
Changing SELinux file contexts over NFS
I would like to change SELinux labels on a NFS-mounted shared directory.
Here is my setup (using virtual machines):
I have two machines running CentOS 7. One of them (the server) exports a directory ...
2
votes
1
answer
1k
views
Permission error when Nagios user runs a bash script, also with sudo
I want to poweroff my NAS and ESXI when there is a power failure. Both of the system run on a Eaton UPS.
I only run Linux systems and therefore I can not use the Eaton Manager, Windows only.
Since I ...
1
vote
1
answer
196
views
Configure CentOS to allow executables to create and write files in dedicated directory
I have a web app that receives, stores, and processes files using AI algorithms implemented in Python. The web app is developed in server-side scripting language, but when invoking the Python programs ...
0
votes
0
answers
44
views
Centos OS7 not receiving user context from FreeIPA
Hopefully there is something simple I am missing here.
I have FreeIPA 4.6.6 (can not update at this time), Centos 7 and Centos 6 systems.
SELinux is in permissive mode. Logins on the Centos 6 system ...
0
votes
1
answer
383
views
How do I find location of file that 'sealert' is referencing in it's output and suggestions?
I've been able to figure this out a little easier in the past just due to the context but this one has me stumped. When I run sealert -a /var/log/audit/audit.log and get the typical output such as...
...
2
votes
1
answer
2k
views
OpenVPN with PAM with systemd and SELinux
I am trying to set up an OpenVPN (2.4.9) server with PAM login on CentOS 8.2 and I am facing some strange issues.
Specifically, i can successfully athenticate if I start the server with the ExecStart ...
0
votes
1
answer
1k
views
Httpd and selinux - change root dir
I have problem with my centos 7 server and httpd. I have already install http, but i need change home dir from /var/www/html to /home/pawel/domains. I added vhost:
<VirtualHost *:80>
...
-1
votes
2
answers
11k
views
How much does httpd_can_network_connect being set to 1 actually open up on SELinux
I am getting the following SELinux denied lines in my log file when I attempt to redirect a user to Paypal to checkout. Would you please help me understand what it means and what exceptions I should ...
0
votes
2
answers
651
views
Apache Webserver - Selinux, directory permission
I trying to set up apache on centos 8. The service is running. When i test with wget, I get 403
$ wget 127.0.0.1:9000 ...
4
votes
2
answers
9k
views
Why is SELinux blocking my Zabbix agent's sudo calls?
I have some Zabbix checks that require sudo. These are the contents of /etc/sudoers.d/zabbix
zabbix ALL=(ALL) NOPASSWD: /bin/yum history
zabbix ALL=(ALL) NOPASSWD: /bin/needs-restarting
zabbix ...
0
votes
1
answer
4k
views
Opening ports in SELinux: How to give a daemon permission to listen on predefined port type?
This is a fairly generic SELinux question, but with a specific example. I'm still fairly new to SELinux, so am regularly fighting with it!
I'd like to know if I can set up a daemon (in this case ...
0
votes
2
answers
262
views
Setting SElinux Labels for a magento site on Centos 7
I was hoping someone could kindly help myself. I have a Magento site running on a Centos 7.6 server.
Now, the site is not correctly loading and looking in the messages.log I see numerous entries ...
0
votes
2
answers
168
views
CSRF warning on centOS where there shouldn't be [closed]
i am working on my own ERP in laravel with a seperate Vue.js Front. I was for a while working on a windows server with apache and it was working fine. The setup was a bit tricky in the beginning as i ...
0
votes
1
answer
396
views
Apache2 cannot open socket as a service
Platform: CentOS Linux release 7.5.1804
I have a freshly installed apache2 and I need to have it listening on a non-default port to fit the host's firewall policy.
I change the httpd.conf to have
...
0
votes
0
answers
220
views
Dhcpd won't start due to selinux
have searched tirelessly and can't find an answer to this thats not confusing. I have a clean install of centos 6.2 32bit on a machine I use as a router. with selinux enabled dhcpd refuses to start ...
3
votes
3
answers
2k
views
Selinux 'var_t' base type warning
I am currently 'lost' in the CentOS Selinux forest.
My setup involves setting up a WSGI socket in /var/www/demo/out which nginx uses to communicate with the UWSGI process. Whenever I request the page ...
1
vote
1
answer
2k
views
nginx reverse proxy for docker swarm - 502 bad gateway
I am running a docker swarm on "swarm.example.com". On the server, there's a container running that can be accessed on "swarm.example.com:3000".
On server "example.com" I'm running an nginx reverse ...
4
votes
1
answer
4k
views
Where can I find details on selinux Booleans
I'm running an openvpn server and I want to use SELinux. When it's activated I see a few "denied" events in the logs. I've used audit2allow to create a '.te' file. My question is about these lines ...
2
votes
1
answer
2k
views
redis fails to write the dump in /var/lib/redis in sellinux eforce mode
In my sentinel master-slave mode; redis slave fails to write the dumps in /var/lib/redis/ with error:
Failed opening the RDB file dump.rdb (in server root dir /var/lib/redis) for saving: Permission ...
2
votes
1
answer
2k
views
Ansible sefcontext not making fcontext permanent
Trying to use Ansible on a CentOS 7 server to make a directory and sync files into it. That part is working. The problem is I get a 403 Forbidden error when I try to access them from the browser. I ...
0
votes
1
answer
369
views
configure selinux to allow sudoers on nfs share
our system is as follows:
CentOS7
NIS for auth
home folders on nfs share
single sudoers file on NFS share for all machines.
so far, item one and two work fine. but, when I change my sudo.conf file ...
1
vote
1
answer
8k
views
How to reset selinux to its initial state in centos7?
I am a newcomer to selinux, then I am learning selinux.
So, after a lot of operations in centos7 (I operate the selinux while learning), now I want to restore the selinux state and rule on centos7 to ...
1
vote
1
answer
702
views
Chromium and SELinux
I need to run Chromium via Puppeteer in the browser but I am getting a few SElinux alerts. If I create an audit2allow module for the alerts, the alerts disappear but Chromium still does not run. As ...
2
votes
1
answer
713
views
Multiple IP addresses with SELinux using the same port
I have a CentOS 7 box with multiple IP address on the same NIC. One IP uses 443 for ssh and I want the other IP to use 443 for the web server. SELinux won't let httpd startup saying:
(13)Permission ...
2
votes
1
answer
4k
views
SELinux: pam_systemd(sudo:session): Failed to connect to system bus: Permission denied
On one of CentOS 7 servers I cannot perform sudo from nrpe user (Nagios daemon remote monitoring).
Error message:
Dec 31 08:28:10 ip-172-31-36-176 sudo: pam_unix(sudo:session): session opened for ...
2
votes
2
answers
1k
views
MongoDB won't run if dbPath is symlinked
I have installed MongoDB 4.0.4 from the official repo. I followed these instructions. My OS is CentOS 7 and SELinux is in enforcing mode. If I use a dbPath value which is a symlink to another ...
1
vote
2
answers
4k
views
Configure SELinux to allow all outbound tcp and udp ports
I have an application that potentially connects to any outbound, remote tcp/udp port. As a result, I want a way to allow all outbound tcp and udp connections.
I understand that you can use a ...
1
vote
1
answer
504
views
Why SELinux blocks dhcpd from executing a script from writing a log file?
I would like to have dhcpd execute a script, which for now just tries to create a log file in /var/log/dhcpd/, but SELinux denies it to do so.
Question
Can anyone from the below see what permissions ...
13
votes
1
answer
8k
views
SELinux reset root password
Disclaimer: This question is not to solve the problem of changing root password while SELinux is active because there are a lot of guides to solve that already. This is more of how SELinux does that ...
-1
votes
2
answers
262
views
Need help installing ejabberd on Centos/RHEL7 with SELinux and reverse proxy
I've been trying to get a web client to use EJabberd on the recommended port (5281) through a reverse proxy (HAProxy) on Centos7 with SELinux enabled. I am not familiar with SELinux context rules.
...
1
vote
3
answers
2k
views
SeLinux stops starting of nginx
Reboted nginx proxy server (centos7+nginx only, apache on another) I got error:
DOMAIN systemd[1]: Starting Session 439 of user root.
-- Subject: Unit session-439.scope has begun start-up
-- ...
0
votes
1
answer
2k
views
SELinux: how to allow httpd to delete temp files from MySQL?
Here's the setup: I let MySQL dump tables to /tmp (they just contain numbers, no real data) for PHP to pick up and process. After this, the temp files are no longer needed, so I delete them with PHP (...
1
vote
1
answer
580
views
Removing module fails - cannot find port type, but it's there?
I have a SELinux module that, among other things, allows Apache to connect via TCP to a specific port:
cat <<EOF > sgtest.te
module sgtest 1.0.0;
require {
attribute port_type;
type ...
1
vote
2
answers
631
views
Set persistent SELinux file types under /run
I set a file to a specific type using semanage fcontext, and using restorecon does properly set the file type. However, upon reboot, the type goes back the default. If I run restorecon again then it ...
4
votes
5
answers
27k
views
SELinux corrupted? Now unable to boot CentOS 7 with SELinux enabled
We recently experienced a power failure and simultaneous backup generator failure, severe enough to require safely shutting down all servers as their UPSs were draining.
Upon bringing one CentOS 7.4....
3
votes
1
answer
984
views
Have SSHD listen to another port on Centos with SELinux running
I have a Centos VM running with SELinux enabled. I wish to have sshd listen to another port --- says, 993. I've modified the sshd_config file to listen to another port, but SELinux is getting in the ...
1
vote
1
answer
2k
views
TCP source port incremented by 2, always even for curl / wget
When using curl and wget, when source port is not set manually (like with --local-port in curl), the source TCP port is always even, and will increment by 2, instead of 1.
EG: in tcpdump when I make ...
1
vote
0
answers
854
views
Something on CentOS is blocking remote MySQL connection
I am running MySQL on CentOS 7, and don't seem to be able to connect MySQL remotely. I have:
bind-address=0.0.0.0
and certainly not #skip-networking but it doesn't matter if I bind to the actual ...