CONTENT
- CHANGES
Szukaj
#top SELinux¶
Security-Enhanced Linux (SELinux) is a Mandatory Access Control (MAC) security mechanism implemented in the kernel. SELinux was first introduced in CentOS 4 and significantly enhanced in later CentOS releases. These enhancements mean that content varies as to how to approach SELinux over time to solve problems.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/SELinux_Guide/rhlcommon-section-0068.html
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-working_with_selinux
https://wiki.centos.org/HowTos/SELinux
#top Services¶
#top Syslog¶
#top Rsyslog¶
Więcej informacji w analogicznym zagadnieniu: Syslog
#top crond¶
#top OpenVPN¶
ll -Z -d /etc/openvpn/ /etc/openvpn/* /etc/openvpn/*/*
drwxr-xr-x root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/ drwxr-xr-x root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name1/ lrwxrwxrwx root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name1.conf -> name1.ovpn -rw-r--r-- root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name1.ovpn -rw-r--r-- root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name1/name1-CA.crt -rw-r--r-- root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name1/name1-sp.crt -rw-r--r-- root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name1/name1-sp.key -rw-r--r-- root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name1/name1-sp.pem drwxr-xr-x root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name2/ lrwxrwxrwx root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name2.conf -> name2.ovpn -rw-r--r-- root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name2.ovpn -rw-r--r-- root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name2/name2-CA.crt -rw-r--r-- root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name2/name2-sp.crt -rw-r--r-- root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name2/name2-sp.key -rw-r--r-- root root system_u:object_r:openvpn_etc_t:s0 /etc/openvpn/name2/name2-sp.pem
ll -Z -d /var/log/openvpn
drwxr-xr-x root root root:object_r:var_log_t:s0 /var/log/openvpn/
restorecon -v /var/log/openvpn
restorecon reset /var/log/openvpn context root:object_r:var_log_t:s0->system_u:object_r:openvpn_var_log_t:s0
ll -Z -d /var/log/openvpn/*
-rw------- root root system_u:object_r:openvpn_var_log_t:s0 /var/log/openvpn/openvpn-name1.log -rw------- root root system_u:object_r:openvpn_var_log_t:s0 /var/log/openvpn/openvpn-name1-status.log -rw------- root root system_u:object_r:openvpn_var_log_t:s0 /var/log/openvpn/openvpn-name2.log -rw------- root root system_u:object_r:openvpn_var_log_t:s0 /var/log/openvpn/openvpn-name2-status.log
#top SNMPd¶
#top DHCPd¶
grep -E '/etc/sysconfig/dhcpd|/etc/dhcp|/var/log/dhcp|/var/run/dhcp' -nr /etc/selinux/targeted/modules/active/*
/etc/selinux/targeted/modules/active/file_contexts:588:/etc/dhcpc.* system_u:object_r:dhcp_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:618:/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:642:/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1602:/etc/dhcp/dhclient\.d(/.*)? system_u:object_r:bin_t:s0 /etc/selinux/targeted/modules/active/file_contexts:2402:/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:2770:/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0 /etc/selinux/targeted/modules/active/file_contexts:2927:/etc/dhcp/dhcpd\.conf -- system_u:object_r:dhcp_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts.template:594:/etc/dhcpc.* system_u:object_r:dhcp_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts.template:624:/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts.template:648:/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts.template:1653:/etc/dhcp/dhclient\.d(/.*)? system_u:object_r:bin_t:s0 /etc/selinux/targeted/modules/active/file_contexts.template:2471:/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts.template:2847:/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0 /etc/selinux/targeted/modules/active/file_contexts.template:3007:/etc/dhcp/dhcpd\.conf -- system_u:object_r:dhcp_etc_t:s0
chcon system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd /etc/dhcpd/* chcon system_u:object_r:bin_t:s0 /etc/dhcpd/dhclient.d chcon system_u:object_r:dhcpd_var_run_t:s0 /var/run/dhcpd.pid
ll -Z -d /etc/dhcpd /etc/dhcpd/* /etc/dhcpd/dhclient.d /var/run/dhcpd.pid
drwxr-xr-x. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/ drwxr-xr-x. root root system_u:object_r:bin_t:s0 /etc/dhcpd/dhclient.d/ drwxr-xr-x. root root system_u:object_r:bin_t:s0 /etc/dhcpd/dhclient.d/ -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/dhclient-eth0.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/dhcpd.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/eth0-dhcpd.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/eth0-hosts.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/eth1-dhcpd.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/eth1-hosts.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/virbr1-dhcpd.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/virbr1-hosts.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/virbr2-dhcpd.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/virbr2-hosts.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/virbr3-dhcpd.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/virbr3-hosts.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/virbr4-dhcpd.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/virbr4-hosts.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/virbr5-dhcpd.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/virbr5-hosts.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/vmnet1-dhcpd.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/vmnet1-hosts.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/vmnet2-dhcpd.conf -rw-r--r--. root root system_u:object_r:dhcp_etc_t:s0 /etc/dhcpd/vmnet2-hosts.conf -rw-r--r--. root root system_u:object_r:dhcpd_var_run_t:s0 /var/run/dhcpd.pid
#top Named/Bind¶
grep -E '/etc/named|/var/log/named|/var/run/named|/var/named' -nr /etc/selinux/targeted/modules/active/*
/etc/selinux/targeted/modules/active/file_contexts:624:/var/named(/.*)? system_u:object_r:named_zone_t:s0 /etc/selinux/targeted/modules/active/file_contexts:991:/var/log/named.* -- system_u:object_r:named_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1039:/var/run/named(/.*)? system_u:object_r:named_var_run_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1152:/var/named/data(/.*)? system_u:object_r:named_cache_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1373:/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1460:/var/named/dynamic(/.*)? system_u:object_r:named_cache_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1493:/etc/named\.rfc1912.zones -- system_u:object_r:named_conf_t:s0 /etc/selinux/targeted/modules/active/file_contexts:2430:/etc/named\.conf -- system_u:object_r:named_conf_t:s0 /etc/selinux/targeted/modules/active/file_contexts:2846:/var/named/named\.ca -- system_u:object_r:named_conf_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3031:/etc/named\.root\.hints -- system_u:object_r:named_conf_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3575:/etc/named\.caching-nameserver\.conf -- system_u:object_r:named_conf_t:s0
chroot version
restorecon -Rv /srv/chrootnamed/dev /srv/chrootnamed/lib /srv/chrootnamed/lib64 /srv/chrootnamed/proc /srv/chrootnamed/sbin /srv/chrootnamed/usr /srv/chrootnamed/var/named chcon --no-dereference system_u:object_r:device_t:s0 /srv/chrootnamed/dev chcon --no-dereference system_u:object_r:etc_t:s0 /srv/chrootnamed/etc chcon -Rv --no-dereference system_u:object_r:lib_t:s0 /srv/chrootnamed/lib64 chcon --no-dereference system_u:object_r:proc_t:s0 /srv/chrootnamed/proc chcon --no-dereference system_u:object_r:bin_t:s0 /srv/chrootnamed/sbin chcon --no-dereference system_u:object_r:usr_t:s0 /srv/chrootnamed/usr chcon --no-dereference system_u:object_r:var_t:s0 /srv/chrootnamed/var /srv/chrootnamed/var/* /srv/chrootnamed/var/*/* chcon --no-dereference system_u:object_r:null_device_t:s0 /srv/chrootnamed/dev/null chcon --no-dereference system_u:object_r:devpts_t:s0 /srv/chrootnamed/dev/pts chcon --no-dereference system_u:object_r:random_device_t:s0 /srv/chrootnamed/dev/random chcon --no-dereference system_u:object_r:etc_t:s0 /srv/chrootnamed/etc/group /srv/chrootnamed/etc/nsswitch.conf /srv/chrootnamed/etc/passwd chcon --no-dereference system_u:object_r:locale_t:s0 /srv/chrootnamed/etc/localtime chcon -Rv --no-dereference system_u:object_r:named_conf_t:s0 /srv/chrootnamed/etc/named chcon --no-dereference system_u:object_r:shell_exec_t:s0 /srv/chrootnamed/sbin/nologin chcon -Rv --no-dereference system_u:object_r:bin_t:s0 /srv/chrootnamed/usr/bin /srv/chrootnamed/usr/sbin chcon -Rv --no-dereference system_u:object_r:lib_t:s0 /srv/chrootnamed/usr/lib64
normal version
restorecon /etc/named /etc/named/* chcon -Rv --no-dereference system_u:object_r:named_conf_t:s0 /etc/named /etc/named/* restorecon /var/log/named /var/log/named/* chcon -Rv --no-dereference system_u:object_r:named_log_t:s0 /var/log/named /var/log/named/* restorecon /var/run/named /var/run/named/* chcon -Rv --no-dereference system_u:object_r:named_var_run_t:s0 /var/run/named /var/run/named/* restorecon -Rv /var/named chcon --no-dereference system_u:object_r:named_zone_t:s0 /var/named chcon --no-dereference system_u:object_r:named_conf_t:s0 /var/named/named.* chcon -Rv --no-dereference system_u:object_r:named_cache_t:s0 /var/named/data chcon -Rv --no-dereference system_u:object_r:named_cache_t:s0 /var/named/dynamic chcon -Rv --no-dereference system_u:object_r:named_cache_t:s0 /var/named/slaves
ll -Z -d /etc/named /etc/named/* /var/log/named /var/log/named/* /var/run/named /var/run/named/* /var/named /var/named/* /var/named/*/*
lrwxrwxrwx. root named system_u:object_r:named_conf_t:s0 /etc/named -> ../srv/chrootnamed/etc/named/ drwxr-xr-x. root named system_u:object_r:named_conf_t:s0 /etc/named/db/ -rw-r-----. root named system_u:object_r:named_conf_t:s0 /etc/named/named.ca -rw-r--r--. root named system_u:object_r:named_conf_t:s0 /etc/named/named.conf -rw-r--r--. root named system_u:object_r:named_conf_t:s0 /etc/named/named.iscdlv.key -rw-r--r--. root named system_u:object_r:named_conf_t:s0 /etc/named/named.local.conf -rw-r--r--. root named system_u:object_r:named_conf_t:s0 /etc/named/named-o.conf -rw-r--r--. root named system_u:object_r:named_conf_t:s0 /etc/named/named.options.conf -rw-r-----. root named system_u:object_r:named_conf_t:s0 /etc/named/named.rfc1912.zones -rw-r--r--. root named system_u:object_r:named_conf_t:s0 /etc/named/named.zoneroot -rw-------. root named system_u:object_r:named_conf_t:s0 /etc/named/rndc.conf -rw-r-----. root named system_u:object_r:named_conf_t:s0 /etc/named/rndc.key drwxr-xr-x. root named system_u:object_r:named_conf_t:s0 /etc/named/zones/ drwxr-xr-x. root named system_u:object_r:named_conf_t:s0 /etc/named/zones-pw/ lrwxrwxrwx. root root system_u:object_r:named_log_t:s0 /var/log/named -> ../../srv/chrootnamed/var/log/named/ -rw-r--r--. named named system_u:object_r:named_log_t:s0 /var/log/named/named-auth.info -rw-r--r--. named named system_u:object_r:named_log_t:s0 /var/log/named/named.log -rw-r--r--. named named system_u:object_r:named_log_t:s0 /var/log/named/queries.log -rw-r--r--. named named system_u:object_r:named_log_t:s0 /var/log/named/update-debug.log lrwxrwxrwx. root root system_u:object_r:named_zone_t:s0 /var/named -> /srv/chrootnamed/var/named/ drwxrwx---. named named system_u:object_r:named_cache_t:s0 /var/named/data/ -rw-r--r--. named named system_u:object_r:named_cache_t:s0 /var/named/data/cache_dump.db -rw-r--r--. named named system_u:object_r:named_cache_t:s0 /var/named/data/named.run -rw-r--r--. named named system_u:object_r:named_cache_t:s0 /var/named/data/named.run-20131201.gz -rw-r--r--. named named system_u:object_r:named_cache_t:s0 /var/named/data/named.run-20131208.gz -rw-r--r--. named named system_u:object_r:named_cache_t:s0 /var/named/data/named.run-20131215.gz -rw-r--r--. named named system_u:object_r:named_cache_t:s0 /var/named/data/named.run-20131222.gz -rw-r--r--. named named system_u:object_r:named_cache_t:s0 /var/named/data/named.run-20131229.gz drwxrwx---. named named system_u:object_r:named_cache_t:s0 /var/named/dynamic/ -rw-r--r--. named named system_u:object_r:named_cache_t:s0 /var/named/dynamic/managed-keys.bind -rw-r--r--. named named system_u:object_r:named_cache_t:s0 /var/named/dynamic/managed-keys.bind.jnl -rw-r-----. root named system_u:object_r:named_conf_t:s0 /var/named/named.ca -rw-r-----. root named system_u:object_r:named_zone_t:s0 /var/named/named.empty -rw-r-----. root named system_u:object_r:named_zone_t:s0 /var/named/named.localhost -rw-r-----. root named system_u:object_r:named_zone_t:s0 /var/named/named.loopback drwxrwx---. named named system_u:object_r:named_cache_t:s0 /var/named/slaves/ lrwxrwxrwx. root root system_u:object_r:named_var_run_t:s0 /var/run/named -> /srv/chrootnamed/var/run/named/ -rw-r--r--. named named system_u:object_r:named_var_run_t:s0 /var/run/named/named.pid -rw-------. named named system_u:object_r:named_var_run_t:s0 /var/run/named/session.key
tail -F /var/log/messages
Sep 14 20:40:21 cen06x64 named[5523]: the working directory is not writable
getsebool -a | grep named
named_write_master_zones --> off
setsebool -P named_write_master_zones 1
getsebool -a | grep named
named_write_master_zones --> on
#top PostgreSQL¶
grep -E '/etc/sysconfig/pgsql|/etc/postgresql|/var/lib/pgsql|PGSQL|/var/log/postgresql' -nr /etc/selinux/targeted/modules/active/*
/etc/selinux/targeted/modules/active/file_contexts:1180:/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1561:/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1562:/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1614:/etc/sysconfig/pgsql(/.*)? system_u:object_r:postgresql_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1704:/var/lib/pgsql/logfile(/.*)? system_u:object_r:postgresql_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3413:/var/lib/pgsql/pgstartup\.log system_u:object_r:postgresql_log_t:s0
restorecon -Rv /etc/postgresql /etc/postgresql/* /etc/sysconfig/pgsql /etc/sysconfig/pgsql/* chcon -Rv system_u:object_r:postgresql_etc_t:s0 /etc/postgresql /etc/postgresql/* /etc/sysconfig/pgsql /etc/sysconfig/pgsql/* restorecon -Rv /var/log/postgresql /var/log/postgresql/* chcon -Rv system_u:object_r:postgresql_log_t:s0 /var/log/postgresql /var/log/postgresql/* restorecon -Rv /srv/pgsql /srv/pgsql/* chcon -Rv system_u:object_r:postgresql_db_t:s0 /srv/pgsql /srv/pgsql/* chcon -Rv system_u:object_r:var_lib_t:s0 /srv/pgsql/backups chcon -Rv system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data
ll -Z -d /etc/sysconfig /etc/sysconfig/pgsql /etc/sysconfig/pgsql/* /etc/postgresql /etc/postgresql/* /srv/pgsql /srv/pgsql/data /srv/pgsql/data/* /var/log/postgresql /var/log/postgresql/*
drwxr-xr-x. root root system_u:object_r:postgresql_etc_t:s0 /etc/postgresql/ -rw-------. postgres postgres system_u:object_r:postgresql_etc_t:s0 /etc/postgresql/pg_hba.conf -rw-------. postgres postgres system_u:object_r:postgresql_etc_t:s0 /etc/postgresql/pg_ident.conf -rw-------. postgres postgres system_u:object_r:postgresql_etc_t:s0 /etc/postgresql/postgresql.conf drwxr-xr-x. root root system_u:object_r:etc_t:s0 /etc/sysconfig/ drwxr-xr-x. root root system_u:object_r:postgresql_etc_t:s0 /etc/sysconfig/pgsql/ -rw-r--r--. root root system_u:object_r:postgresql_etc_t:s0 /etc/sysconfig/pgsql/postgresql drwxr-xr-x. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/ drwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/ drwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/base/ drwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/global/ drwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/pg_clog/ -rw-------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/pg_hba.conf -rw-------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/pg_ident.conf drwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/pg_multixact/ drwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/pg_stat_tmp/ drwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/pg_subtrans/ drwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/pg_tblspc/ drwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/pg_twophase/ -rw-------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/PG_VERSION drwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/pg_xlog/ -rw-------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/postgresql.conf -rw-------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/postmaster.opts -rw-------. postgres postgres system_u:object_r:postgresql_db_t:s0 /srv/pgsql/data/postmaster.pid drwxr-xr-x. postgres root system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/ -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/pgstartup.log -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/pgstartup.log-20120520.gz -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/pgstartup.log-20121103.gz -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/postgresql-main.log -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/postgresql-main.log-20131025.gz -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/postgresql-main.log-20131108.gz -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/postgresql-main.log-20131115.gz -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/postgresql-main.log-20131118.gz -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/postgresql-main.log-20131124.gz -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/postgresql-main.log-20131201.gz -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/postgresql-main.log-20131208.gz -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/postgresql-main.log-20131215.gz -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/postgresql-main.log-20131222.gz -rw-------. postgres postgres system_u:object_r:postgresql_log_t:s0 /var/log/postgresql/postgresql-main.log-20131229.gz
#top MySQL¶
grep -E '/etc/my..cnf|/var/lib/mysql|/var/run/mysqld|/var/log/mysql' -nr /etc/selinux/targeted/modules/active/*
/etc/selinux/targeted/modules/active/file_contexts:685:/var/log/mysql.* -- system_u:object_r:mysqld_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1055:/var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1176:/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1834:/var/run/mysqld/mysqlmanager.* -- system_u:object_r:mysqlmanagerd_var_run_t:s0 /etc/selinux/targeted/modules/active/file_contexts:2085:/etc/my\.cnf -- system_u:object_r:mysqld_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3317:/var/lib/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t:s0
restorecon -Rv /etc/my.cnf /etc/mysqld/* chcon -Rv --no-dereference system_u:object_r:mysqld_etc_t:s0 /etc/my.cnf /etc/mysqld /etc/mysqld/* restorecon -Rv /var/log/mysqld /var/log/mysqld/* chcon -Rv --no-dereference system_u:object_r:var_log_t :s0 /var/log/mysqld chcon -Rv --no-dereference system_u:object_r:mysqld_log_t:s0 /var/log/mysqld/* restorecon -Rv /var/run/mysqld /var/run/mysqld/* chcon -Rv --no-dereference system_u:object_r:mysqld_var_run_t:s0 /var/run/mysqld /var/run/mysqld/* restorecon -Rv /srv/mysql /srv/mysql/* chcon -Rv --no-dereference system_u:object_r:mysqld_db_t:s0 /srv/mysql /srv/mysql/*
ll -Z -d /etc/my.cnf /etc/mysqld/* /var/log/mysqld /var/log/mysqld/* /var/run/mysqld /var/run/mysqld/* /srv/mysql /srv/mysql/*
lrwxrwxrwx. root root system_u:object_r:mysqld_etc_t:s0 /etc/my.cnf -> mysqld/my.cnf -rw-r--r--. root root system_u:object_r:mysqld_etc_t:s0 /etc/mysqld/my2.cnf -rw-r--r--. root root system_u:object_r:mysqld_etc_t:s0 /etc/mysqld/my.cnf drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 /srv/mysql/ -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 /srv/mysql/ibdata1 -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 /srv/mysql/ib_logfile0 -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 /srv/mysql/ib_logfile1 drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 /srv/mysql/mailer/ drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 /srv/mysql/mysql/ -rw-r--r--. root root system_u:object_r:mysqld_db_t:s0 /srv/mysql/mysql_upgrade_info drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 /srv/mysql/nagios3/ drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 /srv/mysql/redmine/ drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 /srv/mysql/webapp/ lrwxrwxrwx. mysql mysql system_u:object_r:mysqld_db_t:s0 /srv/mysql/webbot -> /srv/webbot/mysql/webbot/ lrwxrwxrwx. mysql mysql system_u:object_r:mysqld_db_t:s0 /srv/mysql/webbotz -> /srv/webbot/mysql/webbotz/ drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 /srv/mysql/webuser/ drwxr-xr-x mysql root system_u:object_r:mysqld_log_t:s0 /var/log/mysqld/ -rw-r----- mysql mysql system_u:object_r:mysqld_log_t:s0 /var/log/mysqld/mysqld2.log -rw-r----- mysql mysql system_u:object_r:mysqld_log_t:s0 /var/log/mysqld/mysqld.log -rw-rw---- mysql mysql system_u:object_r:mysqld_log_t:s0 /var/log/mysqld/slow-queries2.log -rw-rw---- mysql mysql system_u:object_r:mysqld_log_t:s0 /var/log/mysqld/slow-queries.log drwxr-xr-x. mysql mysql system_u:object_r:mysqld_var_run_t:s0 /var/run/mysqld/ -rw-rw----. mysql mysql system_u:object_r:mysqld_var_run_t:s0 /var/run/mysqld/mysqld2.pid srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 /var/run/mysqld/mysqld2.sock= -rw-rw----. mysql mysql system_u:object_r:mysqld_var_run_t:s0 /var/run/mysqld/mysqld.pid srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 /var/run/mysqld/mysqld.sock=
tail -F /var/log/mysqld/mysqld.log
150428 11:08:04 [ERROR] Can't open shared library '/usr/lib/mysql/plugin/ha_innodb.so' (errno: 0 cannot restore segment prot after reloc: Permission denied) 150428 11:08:04 [Warning] Couldn't load plugin named 'innodb' with soname 'ha_innodb.so'.
echo "install plugin innodb soname 'ha_innodb.so';" | mysql -u root -p mysql
Enter password: ERROR 1126 (HY000) at line 1: Can't open shared library '/usr/lib/mysql/plugin/ha_innodb.so' (errno: 2 cannot restore segment prot after reloc: Permission denied)
ll -Z -d /usr/lib/mysql/plugin/*.so*
lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_archive.so -> ha_archive.so.0.0.0* lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_archive.so.0 -> ha_archive.so.0.0.0* -rwxr-xr-x root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_archive.so.0.0.0* lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_blackhole.so -> ha_blackhole.so.0.0.0* lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_blackhole.so.0 -> ha_blackhole.so.0.0.0* -rwxr-xr-x root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_blackhole.so.0.0.0* lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_example.so -> ha_example.so.0.0.0* lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_example.so.0 -> ha_example.so.0.0.0* -rwxr-xr-x root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_example.so.0.0.0* lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_federated.so -> ha_federated.so.0.0.0* lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_federated.so.0 -> ha_federated.so.0.0.0* -rwxr-xr-x root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_federated.so.0.0.0* lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_innodb_plugin.so -> ha_innodb_plugin.so.0.0.0* lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_innodb_plugin.so.0 -> ha_innodb_plugin.so.0.0.0* -rwxr-xr-x root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_innodb_plugin.so.0.0.0* lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_innodb.so -> ha_innodb.so.0.0.0* lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_innodb.so.0 -> ha_innodb.so.0.0.0* -rwxr-xr-x root root system_u:object_r:lib_t:s0 /usr/lib/mysql/plugin/ha_innodb.so.0.0.0*
chcon -t texrel_shlib_t /usr/lib/mysql/plugin/ha_innodb.so chcon -h -t texrel_shlib_t /usr/lib/mysql/plugin/*.so*
ll -Z -d /usr/lib/mysql/plugin/*.so*
lrwxrwxrwx root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_archive.so -> ha_archive.so.0.0.0* lrwxrwxrwx root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_archive.so.0 -> ha_archive.so.0.0.0* -rwxr-xr-x root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_archive.so.0.0.0* lrwxrwxrwx root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_blackhole.so -> ha_blackhole.so.0.0.0* lrwxrwxrwx root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_blackhole.so.0 -> ha_blackhole.so.0.0.0* -rwxr-xr-x root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_blackhole.so.0.0.0* lrwxrwxrwx root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_example.so -> ha_example.so.0.0.0* lrwxrwxrwx root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_example.so.0 -> ha_example.so.0.0.0* -rwxr-xr-x root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_example.so.0.0.0* lrwxrwxrwx root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_federated.so -> ha_federated.so.0.0.0* lrwxrwxrwx root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_federated.so.0 -> ha_federated.so.0.0.0* -rwxr-xr-x root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_federated.so.0.0.0* lrwxrwxrwx root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_innodb_plugin.so -> ha_innodb_plugin.so.0.0.0* lrwxrwxrwx root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_innodb_plugin.so.0 -> ha_innodb_plugin.so.0.0.0* -rwxr-xr-x root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_innodb_plugin.so.0.0.0* lrwxrwxrwx root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_innodb.so -> ha_innodb.so.0.0.0* lrwxrwxrwx root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_innodb.so.0 -> ha_innodb.so.0.0.0* -rwxr-xr-x root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/mysql/plugin/ha_innodb.so.0.0.0*
#top Dovecot¶
grep -E '/etc/dovecot|/var/run/dovecot|/var/log/mail' -nr /etc/selinux/targeted/modules/active/*
/etc/selinux/targeted/modules/active/file_contexts:797:/etc/dovecot(/.*)? system_u:object_r:dovecot_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:881:/var/log/mail(/.*)? system_u:object_r:sendmail_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1244:/var/log/maillog[^/]* system_u:object_r:var_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1289:/var/log/mailman(/.*)? system_u:object_r:mailman_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1327:/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1334:/etc/dovecot\.conf.* system_u:object_r:dovecot_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1516:/etc/dovecot\.passwd.* system_u:object_r:dovecot_passwd_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1923:/var/run/dovecot/login/ssl-parameters.dat -- system_u:object_r:dovecot_var_lib_t:s0
restorecon -Rv /etc/dovecot* chcon -Rv --no-dereference system_u:object_r:dovecot_etc_t:s0 /etc/dovecot* restorecon -Rv /var/run/dovecot /var/run/dovecot/* chcon -Rv --no-dereference system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot /var/run/dovecot/* restorecon -Rv /var/run/dovecot/login/ssl-parameters.dat chcon -Rv --no-dereference system_u:object_r:dovecot_var_lib_t:s0 /var/run/dovecot/login/ssl-parameters.dat restorecon -Rv /var/log/mail /var/log/mail/* chcon -Rv --no-dereference system_u:object_r:var_log_t:s0 /var/log/mail /var/log/mail/*
ll -Z -d /etc/dovecot /etc/dovecot/* /etc/dovecot/*/* /var/run/dovecot/* /var/run/dovecot/*/* /var/log/mail /var/log/mail/*
drwxr-xr-x. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/ drwxr-xr-x. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/ -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/10-auth.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/10-director.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/10-logging.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/10-mail.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/10-master.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/10-ssl.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/15-lda.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/20-imap.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/20-lmtp.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/20-managesieve.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/20-pop3.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/90-acl.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/90-plugin.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/90-quota.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/90-sieve.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/auth-checkpassword.conf.ext -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/auth-deny.conf.ext -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/auth-ldap.conf.ext -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/auth-master.conf.ext -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/auth-passwdfile.conf.ext -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/auth-sql.conf.ext -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/auth-static.conf.ext -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/auth-system.conf.ext -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/conf.d/auth-vpopmail.conf.ext -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/dovecot.conf -rw-r--r--. root root system_u:object_r:dovecot_etc_t:s0 /etc/dovecot/dovecot-sql.conf.ext drwxr-xr-x. root root system_u:object_r:var_log_t:s0 /var/log/mail/ -rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mail/mail.log -rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mail/mail.log-20131201.gz -rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mail/mail.log-20131208.gz -rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mail/mail.log-20131215.gz -rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mail/mail.log-20131222.gz -rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mail/mail.log-20131229.gz srw-------. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/anvil= srw-------. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/anvil-auth-penalty= srw-------. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/auth-client= srw-------. dovecot root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/auth-login= srw-------. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/auth-master= srw-------. vmail vmail system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/auth-userdb= srw-------. dovecot root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/auth-worker= srw-------. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/config= srw-------. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/dict= srw-------. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/director-admin= srw-rw-rw-. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/dns-client= lrwxrwxrwx. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/dovecot.conf -> /etc/dovecot/dovecot.conf drwxr-xr-x. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/empty/ srw-rw-rw-. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/lmtp= drwxr-x---. root dovenull system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/login/ srw-rw-rw-. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/login/dns-client= srw-rw-rw-. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/login/imap= srw-rw-rw-. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/login/login= srw-rw-rw-. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/login/pop3= srw-rw-rw-. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/login/ssl-params= -rw-------. root root system_u:object_r:dovecot_var_run_t:s0 /var/run/dovecot/master.pid
restorecon -Rv /home/vmail /home/vmail/* chcon --no-dereference -Rv system_u:object_r:user_home_t:s0 /home/vmail /home/vmail/*
ll -Z -d /home/vmail /home/vmail/*
drwx------. vmail vmail system_u:object_r:user_home_t:s0 /home/vmail/ drwx------. vmail vmail system_u:object_r:user_home_t:s0 /home/vmail/wbcd.pl/
#top Postfix¶
grep -E '/etc/postfix|/var/spool/postfix|/var/log/mail' -nr /etc/selinux/targeted/modules/active/*
/etc/selinux/targeted/modules/active/file_contexts:812:/etc/postfix(/.*)? system_u:object_r:postfix_etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:881:/var/log/mail(/.*)? system_u:object_r:sendmail_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1244:/var/log/maillog[^/]* system_u:object_r:var_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1289:/var/log/mailman(/.*)? system_u:object_r:mailman_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1479:/var/spool/postfix(/.*)? system_u:object_r:postfix_spool_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1580:/etc/postfix/aliases.* system_u:object_r:etc_aliases_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1693:/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1694:/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1707:/var/spool/postfix/lib(64)?(/.*)? system_u:object_r:lib_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1711:/var/spool/postfix/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1713:/var/spool/postfix/pid/.* system_u:object_r:postfix_var_run_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1770:/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1788:/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1789:/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1805:/var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1811:/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1824:/var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1825:/var/spool/postfix/postgrey(/.*)? system_u:object_r:postgrey_spool_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3091:/var/spool/postfix/pid -d system_u:object_r:var_run_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3134:/etc/postfix/prng_exch -- system_u:object_r:postfix_prng_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3521:/var/spool/postfix/etc/localtime -- system_u:object_r:locale_t:s0
restorecon -Rv /etc/postfix /etc/postfix/* chcon -Rv --no-dereference system_u:object_r:postfix_etc_t:s0 /etc/postfix /etc/postfix/* #chcon -Rv --no-dereference system_u:object_r:etc_aliases_t:s0 /etc/postfix/aliases.* #chcon -Rv --no-dereference system_u:object_r:postfix_exec_t:s0 /etc/postfix/postfix-script.* #chcon -Rv --no-dereference system_u:object_r:postfix_prng_t:s0 /etc/postfix/prng_exch restorecon -Rv /var/log/mail /var/log/mail/* chcon -Rv --no-dereference system_u:object_r:var_log_t:s0 /var/log/mail /var/log/mail/* restorecon -Rv /var/spool/postfix /var/spool/postfix/* chcon -Rv --no-dereference system_u:object_r:postfix_spool_t:s0 /var/spool/postfix /var/spool/postfix/* chcon -Rv --no-dereference system_u:object_r:postfix_spool_t:s0 /var/spool/postfix chcon -Rv --no-dereference system_u:object_r:var_run_t:s0 /var/spool/postfix/pid chcon -Rv --no-dereference system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/* chcon -Rv --no-dereference system_u:object_r:postfix_spool_flush_t:s0 /var/spool/postfix/flush chcon -Rv --no-dereference system_u:object_r:postfix_public_t:s0 /var/spool/postfix/public chcon -Rv --no-dereference system_u:object_r:postfix_spool_bounce_t:s0 /var/spool/postfix/bounce chcon -Rv --no-dereference system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private chcon -Rv --no-dereference system_u:object_r:postfix_spool_maildrop_t:s0 /var/spool/postfix/maildrop
ll -Z -d /etc/postfix /etc/postfix/* /var/log/mail /var/log/mail/* /var/spool/postfix /var/spool/postfix/* /var/spool/postfix/*/*
drwxr-xr-x. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/ -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/access -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/access.db -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/canonical -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/client_access.pcre -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/etc-aliases -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/etc-aliases.db -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/generic -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/header_checks -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/helo_access.pcre -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/mailbox_maps -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/mailbox_maps.db -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/main.cf -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/master.cf -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/mydestination -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/recipient_access.pcre -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/relocated -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/sender_access.pcre -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/sender_checks.pcre -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/sender_login_maps -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/sender_login_maps.db -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/transport -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/transport.db -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/virtual -rw-r--r--. root root system_u:object_r:postfix_etc_t:s0 /etc/postfix/virtual.db drwxr-xr-x. root root system_u:object_r:var_log_t:s0 /var/log/mail/ -rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mail/mail.log -rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mail/mail.log-20131201.gz -rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mail/mail.log-20131208.gz -rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mail/mail.log-20131215.gz -rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mail/mail.log-20131222.gz -rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mail/mail.log-20131229.gz drwxr-xr-x. root root system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/ drwx------. postfix root system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/active/ drwx------. postfix root system_u:object_r:postfix_spool_bounce_t:s0 /var/spool/postfix/bounce/ drwx------. postfix root system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/corrupt/ drwx------. postfix root system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/0/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/1/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/2/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/3/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/4/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/5/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/6/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/7/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/8/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/9/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/A/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/C/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/D/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/E/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/defer/F/ drwx------. postfix root system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/0/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/1/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/2/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/3/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/4/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/5/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/6/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/7/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/8/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/9/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/A/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/C/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/D/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/E/ drwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/deferred/F/ drwx------. postfix root system_u:object_r:postfix_spool_flush_t:s0 /var/spool/postfix/flush/ -rw-------. postfix postfix system_u:object_r:postfix_spool_flush_t:s0 /var/spool/postfix/flush/wbcd_pl drwx------. postfix root system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/hold/ drwx------. postfix root system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/incoming/ drwx-wx---. postfix postdrop system_u:object_r:postfix_spool_maildrop_t:s0 /var/spool/postfix/maildrop/ drwxr-xr-x. root root system_u:object_r:var_run_t:s0 /var/spool/postfix/pid/ -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/inet.smtp -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/inet.smtps -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/inet.submission -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/master.pid -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/unix.bounce -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/unix.cleanup -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/unix.defer -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/unix.dovecot -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/unix.flush -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/unix.local -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/unix.relay -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/unix.showq -rw-------. root root system_u:object_r:postfix_var_run_t:s0 /var/spool/postfix/pid/unix.smtp drwx------. postfix root system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/ srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/anvil= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/bounce= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/defer= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/discard= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/dovecot= srw-rw----. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/dovecot-auth= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/error= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/lmtp= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/local= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/proxymap= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/proxywrite= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/relay= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/retry= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/rewrite= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/scache= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/smtp= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/tlsmgr= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/trace= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/verify= srw-rw-rw-. postfix postfix system_u:object_r:postfix_private_t:s0 /var/spool/postfix/private/virtual= drwx--x---. postfix postdrop system_u:object_r:postfix_public_t:s0 /var/spool/postfix/public/ srw-rw-rw-. postfix postfix system_u:object_r:postfix_public_t:s0 /var/spool/postfix/public/cleanup= srw-rw-rw-. postfix postfix system_u:object_r:postfix_public_t:s0 /var/spool/postfix/public/flush= prw--w--w-. postfix postfix system_u:object_r:postfix_public_t:s0 /var/spool/postfix/public/pickup| prw--w--w-. postfix postfix system_u:object_r:postfix_public_t:s0 /var/spool/postfix/public/qmgr| srw-rw-rw-. postfix postfix system_u:object_r:postfix_public_t:s0 /var/spool/postfix/public/showq= drwx------. postfix root system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/saved/ drwx------. postfix root system_u:object_r:postfix_spool_t:s0 /var/spool/postfix/trace/
#top Apache¶
grep -E '/etc/sysconfig/httpd|/etc/httpd|/var/www|/var/run/httpd|/var/log/httpd' -nr /etc/selinux/targeted/modules/active/*
/etc/selinux/targeted/modules/active/file_contexts:174:/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0 /etc/selinux/targeted/modules/active/file_contexts:207:/var/www(/.*)?/logs(/.*)? system_u:object_r:httpd_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:584:/var/www/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:623:/etc/httpd(/.*)? system_u:object_r:httpd_config_t:s0 /etc/selinux/targeted/modules/active/file_contexts:785:/var/www/svn(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0 /etc/selinux/targeted/modules/active/file_contexts:799:/var/www/git(/.*)? system_u:object_r:httpd_git_content_t:s0 /etc/selinux/targeted/modules/active/file_contexts:898:/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:968:/var/run/httpd.* system_u:object_r:httpd_var_run_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1037:/var/log/httpd(/.*)? system_u:object_r:httpd_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1038:/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1095:/var/www/html/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1270:/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1368:/var/www/svn/conf(/.*)? system_u:object_r:httpd_sys_content_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1459:/var/www/svn/hooks(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1464:/var/www/calamaris(/.*)? system_u:object_r:calamaris_www_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1532:/var/www/git/gitweb.cgi system_u:object_r:httpd_git_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1559:/var/www/html/munin(/.*)? system_u:object_r:httpd_munin_content_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1686:/var/www/cobbler/links(/.*)? system_u:object_r:public_content_rw_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1731:/var/www/cobbler/images(/.*)? system_u:object_r:public_content_rw_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1744:/var/www/gallery/albums(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1750:/var/www/html/munin/cgi(/.*)? system_u:object_r:httpd_munin_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1798:/var/www/cobbler/ks_mirror(/.*)? system_u:object_r:public_content_rw_t:s0 /etc/selinux/targeted/modules/active/file_contexts:2375:/etc/httpd/logs system_u:object_r:httpd_log_t:s0 /etc/selinux/targeted/modules/active/file_contexts:2701:/etc/httpd/modules system_u:object_r:httpd_modules_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3052:/var/www/cgi-bin/cgit -- system_u:object_r:httpd_git_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3107:/etc/httpd/conf/keytab -- system_u:object_r:httpd_keytab_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3394:/var/www/cgi-bin/cvsweb\.cgi -- system_u:object_r:httpd_cvs_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3449:/var/www/apcupsd/multimon\.cgi -- system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3450:/var/www/apcupsd/upsimage\.cgi -- system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3451:/var/www/apcupsd/upsstats\.cgi -- system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3483:/var/www/apcupsd/upsfstats\.cgi -- system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3502:/var/www/html/configuration\.php system_u:object_r:httpd_sys_rw_content_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3518:/var/www/nut-cgi-bin/upsset\.cgi -- system_u:object_r:httpd_nutups_cgi_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3565:/var/www/nut-cgi-bin/upsimage\.cgi -- system_u:object_r:httpd_nutups_cgi_script_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:3566:/var/www/nut-cgi-bin/upsstats\.cgi -- system_u:object_r:httpd_nutups_cgi_script_exec_t:s0
restorecon -Rv /etc/httpd /etc/httpd/* chcon -Rv --no-dereference system_u:object_r:httpd_config_t:s0 /etc/httpd /etc/httpd/* restorecon -Rv /var/run/httpd /var/run/httpd/* chcon -Rv --no-dereference system_u:object_r:httpd_var_run_t:s0 /var/run/httpd /var/run/httpd/* restorecon -Rv /var/log/httpd /var/log/httpd/* chcon -Rv --no-dereference system_u:object_r:httpd_log_t:s0 /var/log/httpd /var/log/httpd/* restorecon -Rv /srv/http chcon -Rv --no-dereference system_u:object_r:httpd_sys_content_t:s0 /srv/http /srv/http/* chcon -Rv --no-dereference system_u:object_r:httpd_sys_content_t:s0 /srv/http/icons /srv/http/icons/* chcon -Rv --no-dereference system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/cgi-bin /srv/http/cgi-bin/* chcon -Rv --no-dereference system_u:object_r:httpd_sys_content_t:s0 /srv/http/vhosts/*svn*/*/conf /srv/http/vhosts/*svn*/*/conf/* chcon -Rv --no-dereference system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/*svn*/*/hooks /srv/http/vhosts/*svn*/*/hooks/*
ll -Z -d /etc/httpd /etc/httpd/* /var/run/httpd /var/run/httpd/* /var/log/httpd /var/log/httpd/* /srv/http /srv/http/icons /srv/http/cgi-bin /srv/http/vhosts /srv/http/vhosts/* /srv/http/vhosts/*svn*/*/hooks/*
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/ drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/conf.d/ -rw-r--r--. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/httpd.conf -rw-r--r--. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/magic drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/vhosts/ drwxr-xr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 /srv/http/ drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/cgi-bin/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /srv/http/icons/ drwxr-xr-x apache apache system_u:object_r:httpd_sys_content_t:s0 /srv/http/vhosts/ -rwxr-xr-x. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/knview/hooks/post-commit* -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/knview/hooks/post-commit.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/knview/hooks/post-lock.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/knview/hooks/post-revprop-change.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/knview/hooks/post-unlock.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/knview/hooks/pre-commit.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/knview/hooks/pre-lock.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/knview/hooks/pre-revprop-change.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/knview/hooks/pre-unlock.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/knview/hooks/start-commit.tmpl -rwxr-xr-x. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/redmine/hooks/post-commit* -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/redmine/hooks/post-commit.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/redmine/hooks/post-lock.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/redmine/hooks/post-revprop-change.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/redmine/hooks/post-unlock.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/redmine/hooks/pre-commit.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/redmine/hooks/pre-lock.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/redmine/hooks/pre-revprop-change.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/redmine/hooks/pre-unlock.tmpl -rw-r--r--. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 /srv/http/vhosts/redmine.wbcd.pl-svndata/redmine/hooks/start-commit.tmpl drwxr-xr-x. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/ -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/addons_wbcd_pl-access.log -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/addons_wbcd_pl-error.log drwxr-xr-x. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/cen05-history/ -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/default-access.log -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/default-error.log -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/error.log drwxr-xr-x. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/history/ -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/redmine_wbcd_pl-access.log -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/redmine_wbcd_pl-error.log -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/stats_wbcd_pl-access.log -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/stats_wbcd_pl-error.log -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/wb_app_wbcd_pl-access.log -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/wb_app_wbcd_pl-error.log -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/wc_app_wbcd_pl-access.log -rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/wc_app_wbcd_pl-error.log drwx--x---. root apache system_u:object_r:httpd_var_run_t:s0 /var/run/httpd/ -rw-r--r--. root root system_u:object_r:httpd_var_run_t:s0 /var/run/httpd/httpd.pid
#top Varnish¶
cat /var/log/audit/audit.log | grep avc: | grep varnishd | audit2allow -w
type=AVC msg=audit(1485730151.411:68260): avc: denied { chown } for pid=7640 comm="varnishd" capability=0 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730170.120:68262): avc: denied { chown } for pid=7656 comm="varnishd" capability=0 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730180.883:68264): avc: denied { chown } for pid=7687 comm="varnishd" capability=0 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730200.641:68272): avc: denied { chown } for pid=7709 comm="varnishd" capability=0 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730234.122:68280): avc: denied { fowner } for pid=7735 comm="varnishd" capability=3 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730251.894:68282): avc: denied { fowner } for pid=7757 comm="varnishd" capability=3 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730288.522:68285): avc: denied { fowner } for pid=7810 comm="varnishd" capability=3 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730366.278:68287): avc: denied { fowner } for pid=7911 comm="varnishd" capability=3 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730382.520:68293): avc: denied { chown } for pid=7928 comm="varnishd" capability=0 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730387.571:68297): avc: denied { chown } for pid=7945 comm="varnishd" capability=0 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730467.433:68300): avc: denied { chown } for pid=8010 comm="varnishd" capability=0 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730471.376:68302): avc: denied { chown } for pid=8019 comm="varnishd" capability=0 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730530.794:68305): avc: denied { search } for pid=8069 comm="varnishd" scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730581.491:68307): avc: denied { fsetid } for pid=8116 comm="varnishd" capability=4 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730581.491:68307): avc: denied { fsetid } for pid=8116 comm="varnishd" capability=4 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
type=AVC msg=audit(1485730581.510:68308): avc: denied { read } for pid=8119 comm="varnishd" scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
cat /var/log/audit/audit.log | grep avc: | grep varnishd | audit2allow -M a2a0varnishd
semodule -i a2a0varnishd.pp
#top SQUID¶
tail -F /var/log/audit/audit.log
type=AVC msg=audit(1387558269.347:53): avc: denied { search } for pid=2872 comm="squid" name="squid" dev=sde1 ino=37224449 scontext=unconfined_u:system_r:squid_t:s0 tcontext=user_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1387558269.347:53): avc: denied { getattr } for pid=2872 comm="squid" path="/mnt/data1/squid/cachedir" dev=sde1 ino=37224450 scontext=unconfined_u:system_r:squid_t:s0 tcontext=user_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1387558269.347:53): arch=c000003e syscall=4 success=yes exit=0 a0=7f93f133f450 a1=7fff8d462350 a2=7fff8d462350 a3=200000 items=0 ppid=2870 pid=2872 auid=501 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1387558269.400:54): avc: denied { append } for pid=2872 comm="squid" name="swap.state" dev=sde1 ino=37225475 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1387558269.400:54): avc: denied { open } for pid=2872 comm="squid" name="swap.state" dev=sde1 ino=37225475 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1387558269.400:54): arch=c000003e syscall=2 success=yes exit=14 a0=7f93efeff7a0 a1=441 a2=1a4 a3=7fff8d462140 items=0 ppid=2870 pid=2872 auid=501 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1387558269.414:55): avc: denied { getattr } for pid=2872 comm="squid" path="/mnt/data1/squid/cachedir/swap.state" dev=sde1 ino=37225475 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1387558269.414:55): arch=c000003e syscall=4 success=yes exit=0 a0=7f93f143e540 a1=7fff8d4622e0 a2=7fff8d4622e0 a3=2e706177732f2f72 items=0 ppid=2870 pid=2872 auid=501 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1387558269.414:56): avc: denied { write } for pid=2872 comm="squid" name="cachedir" dev=sde1 ino=37224450 scontext=unconfined_u:system_r:squid_t:s0 tcontext=user_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1387558269.414:56): avc: denied { add_name } for pid=2872 comm="squid" name="swap.state.new" scontext=unconfined_u:system_r:squid_t:s0 tcontext=user_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1387558269.414:56): avc: denied { create } for pid=2872 comm="squid" name="swap.state.new" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1387558269.414:56): avc: denied { append open } for pid=2872 comm="squid" name="swap.state.new" dev=sde1 ino=37225474 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1387558269.414:56): arch=c000003e syscall=2 success=yes exit=14 a0=7f93f15c4570 a1=641 a2=1a4 a3=2e706177732f2f72 items=0 ppid=2870 pid=2872 auid=501 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1387558269.415:57): avc: denied { read } for pid=2872 comm="squid" name="swap.state" dev=sde1 ino=37225475 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1387558269.415:57): arch=c000003e syscall=2 success=yes exit=15 a0=7f93f143e540 a1=0 a2=1b6 a3=0 items=0 ppid=2870 pid=2872 auid=501 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1387558269.415:58): avc: denied { remove_name } for pid=2872 comm="squid" name="swap.state.last-clean" dev=sde1 ino=37225473 scontext=unconfined_u:system_r:squid_t:s0 tcontext=user_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1387558269.415:58): avc: denied { unlink } for pid=2872 comm="squid" name="swap.state.last-clean" dev=sde1 ino=37225473 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1387558269.415:58): arch=c000003e syscall=87 success=yes exit=0 a0=7f93f15c4530 a1=1 a2=7fff8d462250 a3=7fff8d461f90 items=0 ppid=2870 pid=2872 auid=501 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1387558269.429:59): avc: denied { getattr } for pid=2872 comm="squid" path="/mnt/root/srv" dev=sdb3 ino=2 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1387558269.429:59): arch=c000003e syscall=4 success=yes exit=0 a0=7fff8d461d4a a1=7fff8d462140 a2=7fff8d462140 a3=3 items=0 ppid=2870 pid=2872 auid=501 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1387558269.859:60): avc: denied { rename } for pid=2872 comm="squid" name="swap.state.new" dev=sde1 ino=37225474 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1387558269.859:60): arch=c000003e syscall=82 success=yes exit=0 a0=7f93f2cf83e0 a1=7f93f2cf8420 a2=0 a3=7fff8d4620a0 items=0 ppid=2870 pid=2872 auid=501 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1387558284.429:61): avc: denied { read } for pid=2872 comm="squid" name="6C" dev=sde1 ino=37258107 scontext=unconfined_u:system_r:squid_t:s0 tcontext=user_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1387558284.429:61): avc: denied { open } for pid=2872 comm="squid" name="6C" dev=sde1 ino=37258107 scontext=unconfined_u:system_r:squid_t:s0 tcontext=user_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1387558284.429:61): arch=c000003e syscall=2 success=yes exit=12 a0=7f93efefe660 a1=90800 a2=7f93efefe680 a3=7fff8d462030 items=0 ppid=2870 pid=2872 auid=501 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
ll -Z -d /var/spool/squid /mnt/data1/squid
drwxr-xr-x. squid squid user_u:object_r:file_t:s0 /mnt/data1/squid/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /var/spool/squid/
restorecon -Rv /mnt/data1/squid chcon -Rv system_u:object_r:squid_cache_t:s0 /mnt/data1/squid
ll -Z -d /var/spool/squid /mnt/data1/squid /mnt/data1/squid/cachedir/*
drwxr-xr-x. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/00/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/01/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/02/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/03/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/04/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/05/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/06/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/07/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/08/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/09/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/0A/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/0B/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/0C/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/0D/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/0E/ drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/0F/ -rw-r-----. squid squid system_u:object_r:squid_cache_t:s0 /mnt/data1/squid/cachedir/swap.state drwxr-x---. squid squid system_u:object_r:squid_cache_t:s0 /var/spool/squid/
#top ProFTPd¶
grep -E '/etc/sysconfig/proftpd|/etc/proftpd|/var/ftp|/var/run/proftpd|/var/log/proftpd' -nr /etc/selinux/targeted/modules/active/*
/etc/selinux/targeted/modules/active/file_contexts:143:/var/ftp(/.*)? system_u:object_r:public_content_t:s0 /etc/selinux/targeted/modules/active/file_contexts:574:/var/ftp/bin(/.*)? system_u:object_r:bin_t:s0 /etc/selinux/targeted/modules/active/file_contexts:579:/var/ftp/etc(/.*)? system_u:object_r:etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:593:/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t:s0 /etc/selinux/targeted/modules/active/file_contexts:595:/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 /etc/selinux/targeted/modules/active/file_contexts:596:/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 /etc/selinux/targeted/modules/active/file_contexts:885:/var/run/proftpd(/.*)? system_u:object_r:ftpd_var_run_t:s0 /etc/selinux/targeted/modules/active/file_contexts:886:/var/log/proftpd(/.*)? system_u:object_r:xferlog_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1638:/var/ftp/bin/ls -- system_u:object_r:ls_exec_t:s0 /etc/selinux/targeted/modules/active/file_contexts:1775:/etc/proftpd\.conf -- system_u:object_r:ftpd_etc_t:s0
chcon -Rv system_u:object_r:device_t:s0 /srv/chrootproftpd/dev chcon system_u:object_r:bin_t:s0 /srv/chrootproftpd/bin chcon system_u:object_r:sbin_t:s0 /srv/chrootproftpd/sbin chcon -Rv system_u:object_r:etc_t:s0 /srv/chrootproftpd/etc chcon --no-dereference -Rv system_u:object_r:lib_t:s0 /srv/chrootproftpd/lib chcon system_u:object_r:tmp_t:s0 /srv/chrootproftpd/tmp chcon system_u:object_r:usr_t:s0 /srv/chrootproftpd/usr chcon system_u:object_r:var_t:s0 /srv/chrootproftpd/var chcon system_u:object_r:shell_exec_t:s0 /srv/chrootproftpd/bin/bash chcon system_u:object_r:bin_t:s0 /srv/chrootproftpd/bin/cat chcon system_u:object_r:ping_exec_t:s0 /srv/chrootproftpd/bin/ping chcon system_u:object_r:ifconfig_exec_t:s0 /srv/chrootproftpd/sbin/ifconfig chcon system_u:object_r:console_device_t:s0 /srv/chrootproftpd/dev/console chcon system_u:object_r:null_device_t:s0 /srv/chrootproftpd/dev/null chcon system_u:object_r:zero_device_t:s0 /srv/chrootproftpd/dev/zero chcon system_u:object_r:file_t:s0 /srv/chrootproftpd/etc/group chcon system_u:object_r:file_t:s0 /srv/chrootproftpd/etc/passwd chcon system_u:object_r:file_t:s0 /srv/chrootproftpd/etc/protocols chcon system_u:object_r:etc_t:s0 /srv/chrootproftpd/etc/protocols chcon system_u:object_r:net_conf_t:s0 /srv/chrootproftpd/etc/resolv.conf chcon -Rv system_u:object_r:bin_t:s0 /srv/chrootproftpd/usr/bin chcon -Rv system_u:object_r:sbin_t:s0 /srv/chrootproftpd/usr/sbin chcon system_u:object_r:ftpd_exec_t:s0 /srv/chrootproftpd/usr/sbin/proftpd chcon -Rv system_u:object_r:lib_t:s0 /srv/chrootproftpd/usr/lib chcon -Rv system_u:object_r:bin_t:s0 /srv/chrootproftpd/usr/libexec chcon -Rv system_u:object_r:usr_t:s0 /srv/chrootproftpd/usr/share chcon -Rv system_u:object_r:locale_t:s0 /srv/chrootproftpd/usr/share/zoneinfo chcon -Rv system_u:object_r:var_run_t:s0 /srv/chrootproftpd/var/run chcon -Rv system_u:object_r:var_lock_t:s0 /srv/chrootproftpd/var/lock chcon -Rv system_u:object_r:public_content_t:s0 /srv/ftp* chcon --no-dereference -Rv system_u:object_r:ftpd_etc_t:s0 /etc/proftpd chcon --no-dereference -Rv system_u:object_r:ftpd_etc_t:s0 /srv/chrootproftpd/etc/proftpd chcon --no-dereference -Rv system_u:object_r:var_log_t:s0 /var/log/proftpd chcon --no-dereference -Rv system_u:object_r:var_log_t:s0 /srv/chrootproftpd/var/log/proftpd chcon --no-dereference -Rv system_u:object_r:xferlog_t:s0 /var/log/proftpd/* chcon --no-dereference -Rv system_u:object_r:xferlog_t:s0 /srv/chrootproftpd/var/log/proftpd/* chcon --no-dereference -Rv system_u:object_r:ftpd_var_run_t:s0 /var/run/proftpd chcon --no-dereference -Rv system_u:object_r:ftpd_var_run_t:s0 /srv/chrootproftpd/var/run/proftpd
ll -Z -d /etc/proftpd /etc/proftpd/* /var/log/proftpd /var/log/proftpd/* /var/run/proftpd /var/run/proftpd/* /srv/ftpd /srv/ftpd/* /srv/chrootproftpd/* /srv/chrootproftpd/bin/* /srv/chrootproftpd/sbin/* /srv/chrootproftpd/etc/* /srv/chrootproftpd/usr/* /srv/chrootproftpd/var/*
lrwxrwxrwx. root root system_u:object_r:etc_t:s0 /etc/proftpd -> /srv/chrootproftpd/etc/proftpd/ -rw-r--r--. root root system_u:object_r:ftpd_etc_t:s0 /etc/proftpd/install-proftpd.conf -rw-r--r--. root root system_u:object_r:ftpd_etc_t:s0 /etc/proftpd/proftpd.conf -rw-r--r--. root root system_u:object_r:ftpd_etc_t:s0 /etc/proftpd/proftpd-ext.conf -rw-r--r--. root root system_u:object_r:ftpd_etc_t:s0 /etc/proftpd/proftpd-int.conf drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/bin/ -rwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/bin/bash* -rwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/bin/cat* -rwsr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/bin/ping* drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/etc/ -rw-r--r--. root root system_u:object_r:etc_t:s0 /srv/chrootproftpd/etc/ftpusers -rw-r--r--. root root system_u:object_r:etc_t:s0 /srv/chrootproftpd/etc/group -rw-r--r--. root root system_u:object_r:etc_t:s0 /srv/chrootproftpd/etc/host.conf -rw-r--r--. root root system_u:object_r:net_conf_t:s0 /srv/chrootproftpd/etc/hosts -rw-r--r--. root root system_u:object_r:etc_t:s0 /srv/chrootproftpd/etc/nsswitch.conf -rw-r--r--. root root system_u:object_r:etc_t:s0 /srv/chrootproftpd/etc/passwd drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/etc/proftpd/ -rw-r--r--. root root system_u:object_r:etc_t:s0 /srv/chrootproftpd/etc/protocols -rw-r--r--. root root system_u:object_r:net_conf_t:s0 /srv/chrootproftpd/etc/resolv.conf -rw-r--r--. root root system_u:object_r:etc_t:s0 /srv/chrootproftpd/etc/services -rw-r--r--. root root system_u:object_r:etc_t:s0 /srv/chrootproftpd/etc/shells drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/lib64/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/sbin/ -rwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/sbin/ifconfig* drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/srv/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/tmp/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/usr/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/usr/bin/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/usr/lib64/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/usr/libexec/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/usr/sbin/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/usr/share/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/var/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/var/lock/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/var/log/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/chrootproftpd/var/run/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/ftpd/ drwxr-xr-x. root root system_u:object_r:var_t:s0 /srv/ftpd/miso/ drwxr-xr-x. sp users system_u:object_r:httpd_sys_content_t:s0 /srv/ftpd/siso1/ lrwxrwxrwx. root root system_u:object_r:xferlog_t:s0 /var/log/proftpd -> ../../srv/chrootproftpd/var/log/proftpd/ -rw-r--r--. root root system_u:object_r:xferlog_t:s0 /var/log/proftpd/auth.log -rw-r--r--. root root system_u:object_r:xferlog_t:s0 /var/log/proftpd/proftpd-ext.log -rw-r--r--. root root system_u:object_r:xferlog_t:s0 /var/log/proftpd/proftpd-ext.xfer.log -rw-r--r--. root root system_u:object_r:xferlog_t:s0 /var/log/proftpd/proftpd-int.log -rw-r--r--. root root system_u:object_r:xferlog_t:s0 /var/log/proftpd/proftpd-int.xfer.log lrwxrwxrwx. root root system_u:object_r:var_run_t:s0 /var/run/proftpd -> ../../srv/chrootproftpd/var/run/proftpd/ -rw-r--r--. root root system_u:object_r:var_t:s0 /var/run/proftpd/proftpd.delay -rw-r--r--. root root system_u:object_r:var_t:s0 /var/run/proftpd/proftpd.pid -rw-r--r--. root root system_u:object_r:var_t:s0 /var/run/proftpd/proftpd.scoreboard srwxrwxrwx. root root system_u:object_r:var_t:s0 /var/run/proftpd/proftpd.sock=
user login failed !
tail -F /var/log/messages
Aug 27 12:11:30 cen05dev proftpd[6475]: cen05dev.xen.wbcd.pl (::ffff:10.0.0.3[::ffff:10.0.0.3]) - FTP session opened. Aug 27 12:11:31 cen05dev proftpd[6475]: cen05dev.xen.wbcd.pl (::ffff:10.0.0.3[::ffff:10.0.0.3]) - notice: unable to use '~/' [resolved to '/home/sp/']: Permission denied Aug 27 12:11:31 cen05dev proftpd[6475]: cen05dev.xen.wbcd.pl (::ffff:10.0.0.3[::ffff:10.0.0.3]) - Preparing to chroot to directory '~/' Aug 27 12:11:31 cen05dev proftpd[6475]: cen05dev.xen.wbcd.pl (::ffff:10.0.0.3[::ffff:10.0.0.3]) - chroot to '~/' failed for user 'sp': No such file or directory Aug 27 12:11:31 cen05dev proftpd[6475]: cen05dev.xen.wbcd.pl (::ffff:10.0.0.3[::ffff:10.0.0.3]) - error: unable to set default root directory Aug 27 12:11:31 cen05dev proftpd[6475]: cen05dev.xen.wbcd.pl (::ffff:10.0.0.3[::ffff:10.0.0.3]) - FTP session closed.
getsebool -a | grep ftp_home_dir
ftp_home_dir --> off
setsebool -P ftp_home_dir on
getsebool -a | grep ftp_home_dir
ftp_home_dir --> on
user upload file failed !
tail -F /var/log/proftpd/proftpd.log
::ffff:10.0.0.3 UNKNOWN ftp [16/Dec/2015:18:10:49 +0100] "CWD upload" 250 - ::ffff:10.0.0.3 UNKNOWN ftp [16/Dec/2015:18:10:49 +0100] "EPSV" 229 - ::ffff:10.0.0.3 UNKNOWN ftp [16/Dec/2015:18:10:49 +0100] "TYPE I" 200 - ::ffff:10.0.0.3 UNKNOWN ftp [16/Dec/2015:18:10:49 +0100] "STOR kvm-cen05-freeze.png" 550 -
tail -F /var/log/proftpd/proftpd.xfer.log
::ffff:10.0.0.3 UNKNOWN ftp [16/Dec/2015:18:10:49 +0100] "STOR kvm-cen05-freeze.png" 550 -
cat /var/log/audit/audit.log | grep avc: | grep proftpd | audit2allow -w
type=AVC msg=audit(1450285800.631:11492): avc: denied { write } for pid=7990 comm="proftpd" name="upload" dev=sda1 ino=202406 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_t:s0 tclass=dir
Was caused by:
The boolean allow_ftpd_full_access was set incorrectly.
Description:
Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
Allow access by executing:
# setsebool -P allow_ftpd_full_access 1
type=AVC msg=audit(1450285821.322:11499): avc: denied { write } for pid=7996 comm="proftpd" name="upload" dev=sda1 ino=202406 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_t:s0 tclass=dir
Was caused by:
The boolean allow_ftpd_full_access was set incorrectly.
Description:
Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
Allow access by executing:
# setsebool -P allow_ftpd_full_access 1
type=AVC msg=audit(1450285849.317:11500): avc: denied { write } for pid=7998 comm="proftpd" name="upload" dev=sda1 ino=202406 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_t:s0 tclass=dir
Was caused by:
The boolean allow_ftpd_full_access was set incorrectly.
Description:
Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
Allow access by executing:
# setsebool -P allow_ftpd_full_access 1
getsebool -a | grep allow_ftpd_full_access
allow_ftpd_full_access --> off
setsebool -P allow_ftpd_full_access 1
getsebool -a | grep allow_ftpd_full_access
allow_ftpd_full_access --> on
anonymous upload failed
tail -100 /var/log/audit/audit.log | grep avc: | audit2why
type=AVC msg=audit(1451783069.114:1194): avc: denied { ipc_lock } for pid=4167 comm="proftpd" capability=14 scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0 tclass=capability
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean settings; check boolean settings.
You can see the necessary allow rules by running audit2allow with this audit message as input.
type=AVC msg=audit(1451783091.917:1195): avc: denied { ipc_lock } for pid=4472 comm="proftpd" capability=14 scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0 tclass=capability
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean settings; check boolean settings.
You can see the necessary allow rules by running audit2allow with this audit message as input.
type=AVC msg=audit(1451783110.979:1196): avc: denied { ipc_lock } for pid=4473 comm="proftpd" capability=14 scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0 tclass=capability
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean settings; check boolean settings.
You can see the necessary allow rules by running audit2allow with this audit message as input.
getsebool -a | grep ftpd_anon_write
allow_ftpd_anon_write --> off
setsebool -P allow_ftpd_anon_write 1
getsebool -a | grep ftpd_anon_write
allow_ftpd_anon_write --> on
chown ftp:ftp /srv/ftpd/readwrite chown ftp:ftp /srv/ftpd/writeonly
#top Pure-FTPd¶
grep -E '/etc/pure-ftpd|/var/ftp|/var/run/pure-ftpd|/var/log/pure-ftpd' -nr /etc/selinux/targeted/modules/active/*
/etc/selinux/targeted/modules/active/file_contexts:170:/var/ftp(/.*)? system_u:object_r:public_content_t:s0 /etc/selinux/targeted/modules/active/file_contexts:805:/var/ftp/bin(/.*)? system_u:object_r:bin_t:s0 /etc/selinux/targeted/modules/active/file_contexts:812:/var/ftp/etc(/.*)? system_u:object_r:etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts:867:/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t:s0 /etc/selinux/targeted/modules/active/file_contexts:870:/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 /etc/selinux/targeted/modules/active/file_contexts.template:170:/var/ftp(/.*)? system_u:object_r:public_content_t:s0 /etc/selinux/targeted/modules/active/file_contexts.template:814:/var/ftp/bin(/.*)? system_u:object_r:bin_t:s0 /etc/selinux/targeted/modules/active/file_contexts.template:821:/var/ftp/etc(/.*)? system_u:object_r:etc_t:s0 /etc/selinux/targeted/modules/active/file_contexts.template:876:/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t:s0 /etc/selinux/targeted/modules/active/file_contexts.template:879:/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
cat /var/log/audit/audit.log | grep avc: | grep /bin/dbus-daemon | audit2allow -w
type=USER_AVC msg=audit(1450471643.309:13777): user pid=1191 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=net.reactivated.Fprint.Error.NoSuchDevice dest=:1.99 spid=5849 tpid=5846 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=USER_AVC msg=audit(1450471846.091:13784): user pid=1191 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=net.reactivated.Fprint.Error.NoSuchDevice dest=:1.102 spid=5867 tpid=5864 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=USER_AVC msg=audit(1450472821.436:13797): user pid=1191 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=net.reactivated.Fprint.Error.NoSuchDevice dest=:1.105 spid=5950 tpid=5947 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
causes long time with logging ~ 25 seconds
[0.020 0.020] ftpdcmds: result=ftp_conn(): result=1 Connect:OK Connected to netboot6.xen.wbcd.pl[fd0a:2002:10:41:a:29:0:24]:21 [0.023 0.003] ftpdcmds: result=sock_banner(): result=214 BANNER:OK 220:220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- [25.429 25.407] ftpdcmds: result=ftp_auth(): result=1 AUTH:OK 230:OK. Current restricted directory is /
cat /var/log/audit/audit.log | grep avc: | grep /bin/dbus-daemon | audit2allow -M a2a0pure0ftpd0dbus0daemon0send0msg
semodule -i a2a0pure0ftpd0dbus0daemon0send0msg.pp
#top Samba¶
error when rename files
tail -100 /var/log/audit/audit.log | grep avc: | audit2allow -w
May 28 11:37:28 wbcd kernel: type=1400 audit(1401269848.987:104359): avc: denied { rename } for pid=6587 comm="smbd" name=4B6F706961206D756C74696C6F74656B322E666C76 dev=sde1 ino=44810901 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:data_home_t:s0 tclass=file
May 28 11:38:09 wbcd kernel: type=1400 audit(1401269889.976:104360): avc: denied { rename } for pid=6587 comm="smbd" name=4B6F706961206D756C74696C6F74656B322E666C76 dev=sde1 ino=44810901 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:data_home_t:s0 tclass=file
May 28 11:39:46 wbcd kernel: type=1400 audit(1401269986.230:104361): avc: denied { rename } for pid=6587 comm="smbd" name="multilotek3.flv" dev=sde1 ino=44810901 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:data_home_t:s0 tclass=file
Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow samba to share users home directories.
Allow access by executing:
# setsebool -P samba_enable_home_dirs 1
Description:
Allow samba to share any file/directory read/write.
Allow access by executing:
# setsebool -P samba_export_all_rw 1
setsebool -P samba_enable_home_dirs 1
error when listing directories with context: httpd_sys_content_t (for apache):
tail -100 /var/log/audit/audit.log | grep avc: | audit2allow -w
Jun 1 01:04:54 wbcd kernel: type=1400 audit(1401577494.252:131598): avc: denied { read } for pid=6587 comm="smbd" name="install" dev=sde1 ino=56803330 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
Jun 1 01:04:54 wbcd kernel: type=1400 audit(1401577494.252:131599): avc: denied { read } for pid=6587 comm="smbd" name="install" dev=sde1 ino=56803330 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
Jun 1 01:04:54 wbcd kernel: type=1400 audit(1401577494.253:131600): avc: denied { read } for pid=6587 comm="smbd" name="install" dev=sde1 ino=56803330 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow samba to share any file/directory read only.
Allow access by executing:
# setsebool -P samba_export_all_ro 1
Description:
Allow samba to share any file/directory read/write.
Allow access by executing:
# setsebool -P samba_export_all_rw 1
setsebool -P samba_export_all_ro 1
error when creating directories
tail -100 /var/log/audit/audit.log | grep avc: | audit2allow -w
type=AVC msg=audit(1440103393.268:809207): avc: denied { write } for pid=12944 comm="smbd" name="gnutls" dev=sde1 ino=44908568 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
type=SYSCALL msg=audit(1440103393.268:809207): arch=c000003e syscall=83 success=no exit=-13 a0=7fbee3a45280 a1=1ed a2=1ed a3=756e672f74736574 items=0 ppid=3111 pid=12944 auid=4294967295 uid=0 gid=0 euid=501 suid=501 fsuid=501 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1440103397.953:809208): avc: denied { write } for pid=12944 comm="smbd" name="gnutls" dev=sde1 ino=44908568 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
type=SYSCALL msg=audit(1440103397.953:809208): arch=c000003e syscall=83 success=no exit=-13 a0=7fbee3a45270 a1=1ed a2=1ed a3=756e672f74736574 items=0 ppid=3111 pid=12944 auid=4294967295 uid=0 gid=0 euid=501 suid=501 fsuid=501 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1440103398.981:809209): avc: denied { read } for pid=12944 comm="smbd" name="cen05-ca-bundle.crt" dev=sde1 ino=47857665 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1440103398.981:809209): arch=c000003e syscall=4 success=no exit=-13 a0=7fbee3a46d50 a1=7fff934c1fc0 a2=7fff934c1fc0 a3=ffffffed items=0 ppid=3111 pid=12944 auid=4294967295 uid=0 gid=0 euid=501 suid=501 fsuid=501 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1440103398.981:809210): avc: denied { read } for pid=12944 comm="smbd" name="wbcd-CA.crt" dev=sde1 ino=47857666 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1440103398.981:809210): arch=c000003e syscall=4 success=no exit=-13 a0=7fbee3a3b900 a1=7fff934c1fc0 a2=7fff934c1fc0 a3=fffffff5 items=0 ppid=3111 pid=12944 auid=4294967295 uid=0 gid=0 euid=501 suid=501 fsuid=501 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1440103436.050:809211): avc: denied { write } for pid=12944 comm="smbd" name="gnutls" dev=sde1 ino=44908568 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
type=SYSCALL msg=audit(1440103436.050:809211): arch=c000003e syscall=83 success=no exit=-13 a0=7fbee3a45270 a1=1ed a2=1ed a3=756e672f74736574 items=0 ppid=3111 pid=12944 auid=4294967295 uid=0 gid=0 euid=501 suid=501 fsuid=501 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1440103398.981:809209): avc: denied { read } for pid=12944 comm="smbd" name="cen05-ca-bundle.crt" dev=sde1 ino=47857665 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
Was caused by:
The boolean samba_export_all_rw was set incorrectly.
Description:
Allow samba to share any file/directory read/write.
Allow access by executing:
# setsebool -P samba_export_all_rw 1
type=AVC msg=audit(1440103398.981:809210): avc: denied { read } for pid=12944 comm="smbd" name="wbcd-CA.crt" dev=sde1 ino=47857666 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
Was caused by:
The boolean samba_export_all_rw was set incorrectly.
Description:
Allow samba to share any file/directory read/write.
Allow access by executing:
# setsebool -P samba_export_all_rw 1
type=AVC msg=audit(1440103436.050:809211): avc: denied { write } for pid=12944 comm="smbd" name="gnutls" dev=sde1 ino=44908568 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
Was caused by:
The boolean samba_export_all_rw was set incorrectly.
Description:
Allow samba to share any file/directory read/write.
Allow access by executing:
# setsebool -P samba_export_all_rw 1
setsebool -P samba_export_all_rw 1
#top Nagios¶
Error: Could not stat() command file '/var/lib/nagios3/rw/nagios.cmd'!
The external command file may be missing, Nagios may not be running, and/or Nagios may not be checking external commands.
An error occurred while attempting to commit your command for processing.
Return from whence you came
restorecon -Rv /var/run/nagios3
restorecon reset /var/run/nagios3/rw context system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0 restorecon reset /var/run/nagios3/rw/nagios.cmd context system_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_sys_script_exec_t:s0
ll -Z -d /var/run/nagios3 /var/run/nagios3/rw /var/run/nagios3/rw/nagios.cmd
drwxr-xr-x. nagios nagios system_u:object_r:nagios_var_run_t:s0 /var/run/nagios3/ drwxr-sr-x. nagios apache system_u:object_r:nagios_var_run_t:s0 /var/run/nagios3/rw/ prw-rw----. nagios apache system_u:object_r:nagios_var_run_t:s0 /var/run/nagios3/rw/nagios.cmd|
chcon -Rv system_u:object_r:httpd_sys_content_t:s0 /usr/local/nagios3/share chcon -Rv system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin chcon -Rv system_u:object_r:httpd_sys_content_t:s0 /var/lib/nagios3/archives chcon -v system_u:object_r:httpd_sys_content_t:s0 /var/lib/nagios3/objects.cache /var/lib/nagios3/status.dat chcon -v system_u:object_r:httpd_sys_content_rw_t:s0 /var/run/nagios3 /var/run/nagios3/rw /var/run/nagios3 /var/run/nagios3/rw/nagios.cmd
ll -Z -d /usr/local/nagios3 /var/local/nagios3/sbin /usr/local/nagios3/sbin/*
drwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr/local/nagios3/ -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/avail.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/cmd.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/config.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/extinfo.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/histogram.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/history.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/notifications.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/outages.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/showlog.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/status.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/statusmap.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/statuswml.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/statuswrl.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/summary.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/tac.cgi* -rwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_script_exec_t:s0 /usr/local/nagios3/sbin/trends.cgi*
ll -Z -d /var/lib/nagios3 /var/lib/nagios3/objects.cache /var/lib/nagios3/status.dat
drwxrwxr-x. nagios nagios system_u:object_r:var_lib_t:s0 /var/lib/nagios3/ -rw-r--r--. nagios nagios system_u:object_r:httpd_sys_content_t:s0 /var/lib/nagios3/objects.cache -rw-r--r--. nagios nagios system_u:object_r:httpd_sys_content_t:s0 /var/lib/nagios3/status.dat
ll -Z -d /var/lib/nagios3 /var/lib/nagios3/archives
drwxrwxr-x. nagios nagios system_u:object_r:var_lib_t:s0 /var/lib/nagios3/ drwxrwxr-x. nagios nagios system_u:object_r:httpd_sys_content_t:s0 /var/lib/nagios3/archives/
ll -Z -d /var/run/nagios3 /var/run/nagios3/rw /var/run/nagios3/rw/nagios.cmd
drwxr-xr-x. nagios nagios system_u:object_r:httpd_sys_rw_content_t:s0 /var/run/nagios3/ drwxr-sr-x. nagios apache system_u:object_r:httpd_sys_rw_content_t:s0 /var/run/nagios3/rw/ prw-rw----. nagios apache system_u:object_r:httpd_sys_rw_content_t:s0 /var/run/nagios3/rw/nagios.cmd|
Zmodyfikowany ostatnio: 2018/07/09 20:06:58 (5 lat temu),
textsize: 108 kB,
htmlsize: 123 kB
Zapraszam do komentowania, zgłaszania sugestii, propozycji, własnych przykładów, ...
Dodaj komentarzKomentarze użytkowników