Hello,
My problem is to add selinux policies can any help to say what is wrong with my policies I write this!
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/ typo3conf(/.*)?"
I have more instances from typo3 I found this construct in the selinux policies "/var/www/html(/.*)?/uploads(/.*)?"
but my is not working ?
and I have only errors?
neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/ cil:244 (neverallow selinuxutil_typeattr_1 semanage_store_t (file (relabelto))) <root> allow at /etc/selinux/targeted/tmp/modules/100/selinuxutil/cil:675 (allow restorecond_t non_auth_file_type (file (getattr relabelfrom relabelto))) <root> allow at /etc/selinux/targeted/tmp/modules/100/systemd/cil:1108 (allow systemd_tmpfiles_t non_auth_file_type (file (getattr relabelfrom relabelto)))
neverallow check failed at /etc/selinux/targeted/tmp/modules/100/base/cil: 13121 (neverallow base_typeattr_18 scsi_generic_device_t (blk_file (read))) <root> allow at /etc/selinux/targeted/tmp/modules/100/munin/cil:581 (allow disk_munin_plugin_t device_node (blk_file (ioctl read getattr lock open))) .........
or is a other way to include policies better ?
On 04/30/2017 07:03 AM, Günther J. Niederwimmer wrote:
I write this!
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/ typo3conf(/.*)?"
OK. Did you get an error?
I have more instances from typo3 I found this construct in the selinux policies "/var/www/html(/.*)?/uploads(/.*)?"
but my is not working ?
Can you be specific about what "not working" means? Did you get an error from the semanage command? Are files not labeled correctly?
After setting context rules, you can "restorecon -R -v /var/www/html/" to fix the labels of any existing files. You can see their current labels using "ls -lZ /var/www/html".
and I have only errors?
neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/ cil:244
When do you see that error?
Hello,
On Sonntag, 30. April 2017 18:40:23 CEST Gordon Messmer wrote:
On 04/30/2017 07:03 AM, Günther J. Niederwimmer wrote:
I write this!
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/ typo3conf(/.*)?"
OK. Did you get an error?
I have only Errors ;-).
when I like to set this Rule ? semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/ typo3conf(/.*)?"
This Errors are displayd ? neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/ cil:244 (neverallow selinuxutil_typeattr_1 semanage_store_t (file (relabelto))) <root> allow at /etc/selinux/targeted/tmp/modules/100/selinuxutil/cil:675 (allow restorecond_t non_auth_file_type (file (getattr relabelfrom relabelto))) <root> allow at /etc/selinux/targeted/tmp/modules/100/systemd/cil:1108 (allow systemd_tmpfiles_t non_auth_file_type (file (getattr relabelfrom relabelto)))
But the Rule are not added/set ?
I have more instances from typo3 I found this construct in the selinux policies "/var/www/html(/.*)?/uploads(/.*)?"
but my is not working ?
Can you be specific about what "not working" means? Did you get an error from the semanage command? Are files not labeled correctly?
After setting context rules, you can "restorecon -R -v /var/www/html/" to fix the labels of any existing files. You can see their current labels using "ls -lZ /var/www/html".
and I have only errors?
neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/ cil:244
When do you see that error?
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 04/30/2017 07:24 PM, Günther J. Niederwimmer wrote:
when I like to set this Rule ? semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/ typo3conf(/.*)?"
This Errors are displayd ? neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/ cil:244
I see, now. What happens if you run "find /etc/selinux/targeted/tmp"? I'm not sure if you're getting an error because a tmp file was left behind earlier, or because something is wrong with the command you're running.
Hello,
Thanks for the Help!
On Montag, 1. Mai 2017 04:47:21 CEST Gordon Messmer wrote:
On 04/30/2017 07:24 PM, Günther J. Niederwimmer wrote:
when I like to set this Rule ? semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/ typo3conf(/.*)?"
This Errors are displayd ? neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/ cil:244
I see, now. What happens if you run "find /etc/selinux/targeted/tmp"? I'm not sure if you're getting an error because a tmp file was left behind earlier, or because something is wrong with the command you're running.
nothing ?
but now I have make a new installation from the server and the rule is working without errors and is installed ??
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/ typo3conf(/.*)?"
If the content is located under /var/www then you could use restorcon -Rvv to restore the context of all content under /var/www to the default context label as provided by Apache.
----- On 30 Apr, 2017, at 07:03, Günther J. Niederwimmer gjn@gjn.priv.at wrote:
| Hello, | | My problem is to add selinux policies | can any help to say what is wrong with my policies | I write this! | | semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?/ | typo3conf(/.*)?" | | I have more instances from typo3 | I found this construct in the selinux policies | "/var/www/html(/.*)?/uploads(/.*)?" | | but my is not working ? | | and I have only errors? | | neverallow check failed at /etc/selinux/targeted/tmp/modules/100/selinuxutil/ | cil:244 | (neverallow selinuxutil_typeattr_1 semanage_store_t (file (relabelto))) | <root> | allow at /etc/selinux/targeted/tmp/modules/100/selinuxutil/cil:675 | (allow restorecond_t non_auth_file_type (file (getattr relabelfrom | relabelto))) | <root> | allow at /etc/selinux/targeted/tmp/modules/100/systemd/cil:1108 | (allow systemd_tmpfiles_t non_auth_file_type (file (getattr relabelfrom | relabelto))) | | neverallow check failed at /etc/selinux/targeted/tmp/modules/100/base/cil: | 13121 | (neverallow base_typeattr_18 scsi_generic_device_t (blk_file (read))) | <root> | allow at /etc/selinux/targeted/tmp/modules/100/munin/cil:581 | (allow disk_munin_plugin_t device_node (blk_file (ioctl read getattr lock | open))) | ......... | | or is a other way to include policies better ? | -- | mit freundlichen Grüssen / best regards | | Günther J. Niederwimmer | _______________________________________________ | CentOS mailing list | CentOS@centos.org | https://lists.centos.org/mailman/listinfo/centos
-
Gordon Messmer -
Günther J. Niederwimmer -
James A. Peltier