Questions tagged [selinux]
SELinux (Security-Enhanced Linux) is an implementation of a flexible role-based, mandatory access control (MAC) architecture on Linux through kernel modifications and user-tools. It is primarily used to confine system processes and users beyond the basic Discretionary Access Controls (DAC) mechanism or access-control list found on *nix systems.
621 questions
0
votes
0
answers
22
views
setting up PXE and DHCP server on RHEL VM
So I am trying to setup a kickstart server with pxeboot and dhcp server (for ks) on RHEL 8 VM. When I capture network traffic I do not see any pxe/tftp traffic coming to the VM or the host....
I tried ...
- 245
1
vote
2
answers
51
views
Log all journald messages to AWS Cloudwatch
I'm migrating our existing Amazon Linux 2 servers to Amazon Linux 2023. One of the changes is that the AL2023 now uses journald for it's logging. I have the requirement to have all logging in AWS ...
- 143
2
votes
0
answers
81
views
How to configure smartd, s-nail and selinux to get sending mails to work?
I am trying to configure smartd to send mails via s-nail on Fedora 41.
I created a .mailrc file (in which I have set the mta variable to directly send via smtps, there is no sendmail installed) in ...
- 21
0
votes
0
answers
24
views
SELinux Blocking Actions in AuditD Plugin – How to Resolve Without Switching to Permissive Mode?
Problem:
I'm facing an issue where SELinux is blocking certain actions of my application, which runs as a plugin for auditd. I've been trying to generate the necessary SELinux policy using audit2allow,...
- 1
0
votes
1
answer
37
views
SElinux Blocking SSH from SystemD Service
Background
I am setting up an rsync backup over SSH service via SystemD. This is ultimately failing to run due to local SElinux; minimum reproducible example:
[Unit]
Description=Rsync backup service
...
- 337
0
votes
1
answer
25
views
Persistent SELinux permissions: restorecon vs. chcon vs. semanage
I have a web server that is running SELinux.
On this server, I have set the permissions for the /var/www directory using chcon -R -t httpd_sys_rw_content_t, which seems to work correctly. I have also ...
- 1
1
vote
0
answers
86
views
How do I get rootless podman to work with nvidia gpu after reboot?
I have a RHEL9 system with a NVIDIA L40S and Driver Version: 570.124.06 CUDA Version: 12.8.
Installed as described here by (basically) running:
# dnf config-manager --add-repo http://developer....
- 1,010
0
votes
0
answers
176
views
Accessing Docker Unix Socket from a Podman Container on a Remote Server (SSH)
I'm trying to access a Docker Unix socket on a remote server from within a Podman container (offen/docker-volume-backup).
I've (root-)mounted the entire root filesystem of the remote server using ...
- 1
1
vote
0
answers
26
views
Issue with TigerVNC for Yocto-Based Linux with SELinux: PAM and SELinux Context Errors
I am running TigerVNC version 1.14.1 on a Yocto-based Linux system with SELinux enabled. The issue I’m facing is related to starting the VNC server service when SELinux policies are in place. Below is ...
- 11
0
votes
1
answer
83
views
SELinux with the systemd
I have one doubt regarding assigning the SELinux context to the systemd-service using the following syntax
[Service]
User=your_service_user
Group=your_service_group
# Add this line to assign the ...
- 1
0
votes
1
answer
149
views
Permission denied on simple podman curl container oneliner (CoreOS system)
On a relatively fresh and simple CoreOS system, trying to run the following command:
podman run --rm docker.io/curlimages/curl -v host.containers.internal:2040
Results in the following error:
{"...
- 143
10
votes
3
answers
1k
views
Prevent application from being executed by any local user except systemd
I need to run the binary that I don't fully trust.
I've created a systemd unit for it where it's locked down as much as humanly possible, it works great.
Now it's still on my system (Fedora) and I may ...
- 32.1k
0
votes
1
answer
324
views
How to restore SELinux context for home directory?
I installed fresh new Fedora 41 Xfce with /home/kuba directory in different partition from Fedora updated since version 35. The upgrade failed (maybe because I deleted pulsesecure without uninstalling ...
- 10.2k
2
votes
1
answer
90
views
Can I restrict root user from accessing block devices directly, enforcing filesystem-only access?
Can a policy of SELinux that restricts the root user from writing data to the block devices directly (e.g. through dd command) regardless of whether they were created through the usage of mknod ...
0
votes
1
answer
96
views
Why httpd can read files with tag "httpd_sys_content_t" in SELinux?
I used the below command to check related policy rules, and only find the following 2 related rules:
[root@system1 home]# sesearch -A -s httpd_t -t httpd_sys_content_t -ds -dt
allow httpd_t ...
- 111