selinux | upstream repository for the Security Enhanced Linux | Continuous Deployment library
kandi X-RAY | selinux Summary
kandi X-RAY | selinux Summary
[Build Status] Please submit all bug reports and patches to . Subscribe by sending "subscribe selinux" in the body of an email to . Archive of this mailing list is available on
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of selinux
selinux Key Features
selinux Examples and Code Snippets
Community Discussions
Trending Discussions on selinux
QUESTION
I'm writing a program that uses gsed to extract multibyte charactors from csv file.
It works well with csv file encoded UTF-8, but it doesn't work with csv file encoded SHIFT_JIS.
...ANSWER
Answered 2021-Jun-12 at 08:50GNU sed is locale aware. If you want to work with raw bytes (ie. you can check what bytes represent " in Shift_JIS and feed that to sed) use:
QUESTION
I want witch /dev/i2c-1 device to be outside the SELinux security policy on Android 10.
I have the source code for Android 10. I tried creating a .te file in /device/thales/mt8768q/sepolicy/edgelab.te
In foo.te, I added a similar example to the site: https://source.android.com/security/selinux/customize.
...ANSWER
Answered 2021-Jun-04 at 02:04Your should define your domain and label.
Define your dev_type (device/"manufacturer"/"device-name"/sepolicy/"your-filename".te):
type i2c-1_device, dev_type;
Label file with your type (device/"manufacturer"/"device-name"/sepolicy/file_contexts):
/dev/i2c-1/* u:object_r:i2c-1_device:s0
Define your rule (device/"manufacturer"/"device-name"/"your-filename".te):
allow domain i2c-1_device:chr_file rw_file_perms
You'd better define your domain and restrict only your domain can access i2c-1_device. The example define an dhcp domain, it's an good example.
QUESTION
I'm trying to deploy the ELK stack to my developing kubernetes cluster. It seems that I do everything as described in the tutorials, however, the pods keep failing with Java errors (see below). I will describe the whole process from installing the cluster until the error happens.
Step 1: Installing the cluster
...ANSWER
Answered 2021-May-26 at 05:06For the ELK stack to work you need all three PersistentVolumeClaim's to be bound as I recall. Instead of creating 1 30 GB of PV create 3 of the same size with the claims and then re-install. Other nodes have unmet dependincies.
Also please do not handle the volumes by hand. There are guidelines to deploy dynamic volums. Use OpenEBS for example. That way you wont need to worry about the pvc's. After giving the pv's if anything happens write again with your cluster installation process.
I was wrong obviously, in this particular problem, filesystems and cgroups take role and the main problem of this is an old problem. From 5.2.1 to 8.0.0. Reinstall the chart by pulling the chart. Edit values file and definitely change the container version. It should be fine or create another error log stack.
QUESTION
I have an issue in a yocto based embedded linux system. I have tracked it down to an interaction between dbus and SELinux, and using dbus-monitor I can see the following error:
...ANSWER
Answered 2021-May-27 at 10:16Further research shows that dbus itself is an SELinux aware application. It is checking the SELinux configuration, and taking enforcement actions within dbus itself. This accounts for why the denials from dbus do not appear in the audit log, even when silent denials are turned off.
My particular issue was solved by adding some allow rules for 'send_msg' as follows:
QUESTION
I am trying to open the /dev/diag using JNI as open("/dev/diag", O_RDWR | O_LARGEFILE | O_NONBLOCK); but returning errno: 13 Permission denied.
What should be done to make this work?
When checking the ownership of the /dev/diag using the command ls -l /dev/diag it returns crw-rw-rw- system qcom_diag 244, 0 2015-01-14 01:47 diag
and when trying to use the command id i get uid=0(root) gid=0(root) groups=0(root) context=u:r:init:s0
So I thought the problem is related to ownership?
Update: Based on @HamidShatu answer
I tried to set the SELinux to permissive with no luck.
I tried the command su 0 setenforce 0 it returns OK while still being Enforcing if checking immediately using getenforce command.
I even tried to change the prop.build: this file did not exist instead a prop.build.bak did so i copied it modified the SELinux to 0 instead of 1 and pushed it without the .bak extension. Even i checked with external applications that modify the prop.build where the SELinux is set to 0 but when checking with the getenforce command it is still returning Enforcing
here is the extract of the dmesg:
...ANSWER
Answered 2021-May-17 at 14:48To understand/analyze your issue, maybe we can first look into what you have posted here.
I am trying to open the
/dev/diagusing JNI asopen("/dev/diag", O_RDWR | O_LARGEFILE | O_NONBLOCK);but returningerrno: 13 Permission denied.
From my experience, errno: 13 Permission denied suggest that your code is doing some SELinux violations.
When checking the ownership of the
/dev/diagusing the commandls -l /dev/diagit returnscrw-rw-rw- system qcom_diag 244, 0 2015-01-14 01:47 diagand when trying to use the commandid, I getuid=0(root) gid=0(root) groups=0(root) context=u:r:init:s0
This portion clearly suggest that /dev/diag directory belongs to Qualcomm. According to Android Treble re-architecture, there are 3 main partitions belong to:
- Android system (Google/AOSP)
- Vendor (Chip maker) &
- OEM (Device maker)
So, according to your analysis, /dev/diag belongs to Vendor partition.
So I thought the problem is related to ownership?
The answer of this question is pretty much: Yes.
What should be done to make this work?
You need to add SELinux permission to make this work.
As crw-rw-rw- system qcom_diag 244, 0 2015-01-14 01:47 diag line suggests, you need to add a SELinux permission to access qcom_diag from system for diag.
Here's one thing is that, any kind of diag permission is given only in Debug build, not in User build. Because giving SELinux permission for diag in User build will raise a security concern. It can leak vital information by printing them in logs.
QUESTION
I need to stop SE Linux from enforcing, from the earliest possible time in the Android boot sequence.
I had read that a kernel parameter of "selinux=0" would stop this. It doesn't:
...ANSWER
Answered 2021-Feb-01 at 11:59The solution is to use androidboot.selinux=permissive instead of selinux=0.
I've read that androidboot.selinux=disabled will work too.
QUESTION
My goal is to receive command "semanage login -l" message in array and display the results in the browser. I have created a line inside a class Ausearch where it has a function processSudoInput() with contents:
...ANSWER
Answered 2021-May-15 at 13:35On CentOS8 distro and other distros which use httpd process there is no such system subject (user) www-data nor httpd. When executing sudo commands in the "PHPStorm" there is user A and he has all the needed permissions to execute those commands, although when it comes to executing sudo commands and displaying them on the web, the user B is responsible for it and that user B is Apache, therefore if it is needed to run that command, it is highly suggestible to create shell script which executes that specific sudo command aka encapsulating that command. Inside the visudo there has to be a line:
QUESTION
[root@asok-4-openstack yum.repos.d]# yum install docker-ce-20.10.2*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: la.mirrors.clouvider.net
* extras: mirrors.ocf.berkeley.edu
* updates: sjc.edge.kernel.org
Resolving Dependencies
--> Running transaction check
---> Package docker-ce.x86_64 3:20.10.2-3.el7 will be installed
--> Processing Dependency: container-selinux >= 2:2.74 for package: 3:docker-ce-20.10.2-3.el7.x86_64
--> Processing Dependency: containerd.io >= 1.4.1 for package: 3:docker-ce-20.10.2-3.el7.x86_64
--> Processing Dependency: docker-ce-cli for package: 3:docker-ce-20.10.2-3.el7.x86_64
--> Processing Dependency: docker-ce-rootless-extras for package: 3:docker-ce-20.10.2-3.el7.x86_64
--> Running transaction check
---> Package container-selinux.noarch 2:2.119.2-1.911c772.el7_8 will be installed
---> Package containerd.io.x86_64 0:1.4.4-3.1.el7 will be installed
---> Package docker-ce-cli.x86_64 1:20.10.6-3.el7 will be installed
--> Processing Dependency: docker-scan-plugin(x86-64) for package: 1:docker-ce-cli-20.10.6-3.el7.x86_64
---> Package docker-ce-rootless-extras.x86_64 0:20.10.6-3.el7 will be installed
--> Processing Dependency: fuse-overlayfs >= 0.7 for package: docker-ce-rootless-extras-20.10.6-3.el7.x86_64
--> Processing Dependency: slirp4netns >= 0.4 for package: docker-ce-rootless-extras-20.10.6-3.el7.x86_64
--> Running transaction check
---> Package docker-scan-plugin.x86_64 0:0.7.0-3.el7 will be installed
---> Package fuse-overlayfs.x86_64 0:0.7.2-6.el7_8 will be installed
--> Processing Dependency: libfuse3.so.3(FUSE_3.2)(64bit) for package: fuse-overlayfs-0.7.2-6.el7_8.x86_64
--> Processing Dependency: libfuse3.so.3(FUSE_3.0)(64bit) for package: fuse-overlayfs-0.7.2-6.el7_8.x86_64
--> Processing Dependency: libfuse3.so.3()(64bit) for package: fuse-overlayfs-0.7.2-6.el7_8.x86_64
---> Package slirp4netns.x86_64 0:0.4.3-4.el7_8 will be installed
--> Running transaction check
---> Package fuse3-libs.x86_64 0:3.6.1-4.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================
Package Arch Version Repository Size
======================================================================================
Installing:
docker-ce x86_64 3:20.10.2-3.el7 docker-ce-stable 27 M
Installing for dependencies:
container-selinux noarch 2:2.119.2-1.911c772.el7_8 extras 40 k
containerd.io x86_64 1.4.4-3.1.el7 docker-ce-stable 33 M
docker-ce-cli x86_64 1:20.10.6-3.el7 docker-ce-stable 33 M
docker-ce-rootless-extras x86_64 20.10.6-3.el7 docker-ce-stable 9.2 M
docker-scan-plugin x86_64 0.7.0-3.el7 docker-ce-stable 4.2 M
fuse-overlayfs x86_64 0.7.2-6.el7_8 extras 54 k
fuse3-libs x86_64 3.6.1-4.el7 extras 82 k
slirp4netns x86_64 0.4.3-4.el7_8 extras 81 k
Transaction Summary
======================================================================================
Install 1 Package (+8 Dependent packages)
Total download size: 107 M
Installed size: 438 M
Is this ok [y/d/N]: y
Downloading packages:
(1/9): container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm | 40 kB 00:00:00
warning: /var/cache/yum/x86_64/7/docker-ce-stable/packages/docker-ce-20.10.2-3.el7.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 621e9f35: NOKEY
Public key for docker-ce-20.10.2-3.el7.x86_64.rpm is not installed
(2/9): docker-ce-20.10.2-3.el7.x86_64.rpm | 27 MB 00:00:00
(3/9): containerd.io-1.4.4-3.1.el7.x86_64.rpm | 33 MB 00:00:00
(4/9): docker-ce-cli-20.10.6-3.el7.x86_64.rpm | 33 MB 00:00:00
(5/9): docker-scan-plugin-0.7.0-3.el7.x86_64.rpm | 4.2 MB 00:00:00
(6/9): docker-ce-rootless-extras-20.10.6-3.el7.x86_64.rpm | 9.2 MB 00:00:00
(7/9): fuse-overlayfs-0.7.2-6.el7_8.x86_64.rpm | 54 kB 00:00:00
(8/9): slirp4netns-0.4.3-4.el7_8.x86_64.rpm | 81 kB 00:00:00
(9/9): fuse3-libs-3.6.1-4.el7.x86_64.rpm | 82 kB 00:00:00
--------------------------------------------------------------------------------------
Total 49 MB/s | 107 MB 00:02
Retrieving key from https://download.docker.com/linux/centos/gpg
Importing GPG key 0x621E9F35:
Userid : "Docker Release (CE rpm) "
Fingerprint: 060a 61c5 1b55 8a7f 742b 77aa c52f eb6b 621e 9f35
From : https://download.docker.com/linux/centos/gpg
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 2:container-selinux-2.119.2-1.911c772.el7_8.noarch 1/9
Installing : containerd.io-1.4.4-3.1.el7.x86_64 2/9
Installing : 1:docker-ce-cli-20.10.6-3.el7.x86_64 3/9
Installing : docker-scan-plugin-0.7.0-3.el7.x86_64 4/9
Installing : slirp4netns-0.4.3-4.el7_8.x86_64 5/9
Installing : fuse3-libs-3.6.1-4.el7.x86_64 6/9
Installing : fuse-overlayfs-0.7.2-6.el7_8.x86_64 7/9
Installing : 3:docker-ce-20.10.2-3.el7.x86_64 8/9
Installing : docker-ce-rootless-extras-20.10.6-3.el7.x86_64 9/9
Verifying : fuse3-libs-3.6.1-4.el7.x86_64 1/9
Verifying : 3:docker-ce-20.10.2-3.el7.x86_64 2/9
Verifying : docker-ce-rootless-extras-20.10.6-3.el7.x86_64 3/9
Verifying : fuse-overlayfs-0.7.2-6.el7_8.x86_64 4/9
Verifying : docker-scan-plugin-0.7.0-3.el7.x86_64 5/9
Verifying : slirp4netns-0.4.3-4.el7_8.x86_64 6/9
Verifying : 2:container-selinux-2.119.2-1.911c772.el7_8.noarch 7/9
Verifying : 1:docker-ce-cli-20.10.6-3.el7.x86_64 8/9
Verifying : containerd.io-1.4.4-3.1.el7.x86_64 9/9
Installed:
docker-ce.x86_64 3:20.10.2-3.el7
Dependency Installed:
container-selinux.noarch 2:2.119.2-1.911c772.el7_8
containerd.io.x86_64 0:1.4.4-3.1.el7
docker-ce-cli.x86_64 1:20.10.6-3.el7
docker-ce-rootless-extras.x86_64 0:20.10.6-3.el7
docker-scan-plugin.x86_64 0:0.7.0-3.el7
fuse-overlayfs.x86_64 0:0.7.2-6.el7_8
fuse3-libs.x86_64 0:3.6.1-4.el7
slirp4netns.x86_64 0:0.4.3-4.el7_8
Complete!
[root@asok-4-openstack yum.repos.d]# docker --version
Docker version 20.10.6, build 370c289
[root@asok-4-openstack yum.repos.d]#
ANSWER
Answered 2021-May-13 at 19:56You did install docker-ce 20.10.2. The docker-ce-CLI is what is at 20.10.6.
QUESTION
This is similar to Starting synergy automatically on RHEL/CentOS However this doesn't seem to be working anymore.
What I basically want to do is execute a program when the greeter is shown. THis has been working before by adding it to the /etc/gdm/Init/Default script. However right now the script doesn't seem to be called anymore (tested with a 'logger' call).
SElinux is in permissive mode. The script is executable. synergyc is specified with the full path.
...ANSWER
Answered 2021-May-05 at 12:36The below resolves the issue. So to make synergyc always running at the GDM greeter use the PostSession script below and put the /usr/share/gdm/greeter/autostart/synergyc.desktop file into place:
QUESTION
I'm trying to use git push with SSH remote from GitHub CI action and get an error: Load key "/tmp/341b5794-f0a2-4534-90dd-f791510ec77a_id_rsa": invalid format
Key is in repository secret. I get its info with ssh-keygen -l -v -f key_id_rsa and its output equals to output on my local machine. From my machine I can push with this key
ANSWER
Answered 2021-May-03 at 06:48If the private key format differs, that means, as I mentioned here that:
- one platform is using openssh prior to 7.8, with an old PEM 64-chars per line format.
- one is using a more recent OpenSSH format, 70-chars per line.
You can force a recent openSSH to generate the old format with:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install selinux
Alpine Linux (https://pkgs.alpinelinux.org/package/edge/testing/x86/policycoreutils)
Arch Linux User Repository (https://aur.archlinux.org/packages/policycoreutils/)
Buildroot (https://git.buildroot.net/buildroot/tree/package/policycoreutils)
Debian and Ubuntu (https://packages.debian.org/sid/policycoreutils)
Gentoo (https://packages.gentoo.org/packages/sys-apps/policycoreutils)
RHEL and Fedora (https://src.fedoraproject.org/rpms/policycoreutils)
Yocto Project (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux)
and many more (https://repology.org/project/policycoreutils/versions)
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
