Ț•ă43Lì1:8sVzgŃh9|ą(EHžŽ -R;!™Ž"t(#I#~ç$œf%,$& Q'[(mw)Öć+źŒ1±k2/3 M4ęZ6.X8b‡:ê;ˆ=Ć‹>űQAŠJCžńE…GĘI˜ôJ7L‹ĆNđQPTBQĄ—R»9TČőUSšWPüWMXN^ZN­ZUüZGR[]š[Oű[kH\RŽ\q]fy]Và]F7^K~^VÊ^E!_Sg_j»_B&`Ti`TŸ`^cÁrcŠ4dtżež4fZÓg?.kZnkČÉkY|nUÖn6,qŽcrCòt€6w#·yXÛ| 4}B~Sf€ | †‚ ”ƒz „č…šŐ…‰p†‹ú†††‡ç ˆ3őˆe)‰_‰eï‰fUŠŒŠÀÙŠŚš‹ŚrŒžJŃŽIՏÜ“Ăü“ƒÀ”™D–bȚ—“A˜\՘b2™\•™+ò™cš7‚š<șšŽśš†› ››š›%ƛ:ë›*&œQœaœ/rœ:ąœ8ƜT5k4Ąx֝tOžyĞT>Ÿ7“Ÿm˟a9 U› eń fWĄNŸĄg ą:uą°ąEÂąNŁFWŁIžŁ7èŁ6 €cW€'»€pă€+T„G€„GÈ„uŠ™†Šf §h‡§lđ§j]šhÈš81©!j©/Œ©Œ©Ì©4Ü©$Ș.6ȘeȘ{Ș,–ȘĂȘ?ßȘ0«1P«]‚«2à«KŹ2_Ź]’ŹcđŹT­,d­‘­d€­N źXźŒpź_-Ż]ŻEëŻ-1°_°4x°!­°'ϰ$ś° ±_=±R±Ođ±9@Č:zČ”ȋÓČĂ_ł#¶Ź>¶Bë¶A.·^p·sÏ·–Cž„Úžî€șTo»hÄŒ/-Ÿ^]ÂmŒÂm*Ăx˜Ă6ÄLHƛ•Æ!1Ç]Sɘ±Ê|JË:ÇË{ÍČ~Í1Î-NÏ>|Ј»ŃćDÔČ*ÚčĘÚR—Û;êÜ,&ß_Sámłă$!ćFæäç&èêäíôńȚó—ûôQ“öćűÿgú_gû„ÇüĐmțŻ>SîPB “KŸKëQ7A‰XËN$fsPÚl+m˜QGXK SìI@ MŠ ]Ű =6 Yt jÎ _9 љ ‘ksę»q‰-Q·^ ąh] aiCËmc}©á!8‹$aÄ'&(>)Y*v+–,­-Ć.zȚ/ÀY0ž1č1J2ŠÛ2äf39K4o…4jő4t`5oŐ5!E6Śg6æ?7ć&8Ç 9Ô9yò;ÿl?Çl@}4AźČBcaDˆĆD\NEb«E\F+kFZ—F4òFD'GĄlGH!H0H%PHCvH;șHöH I0I2NI0INČI:J/4]‘njm Ú=ăŠȚ# /{\”?°Ÿƒd PŃla„Á«’ObšȘQ‚Z dac_override and dac_read_search capabilities usually indicates that the root process does not have access to a file based on the permission flags. This usually mean you have some file with the wrong ownership/permissions on it. SELinux denied access requested by $SOURCE. It is not expected that this access is required by $SOURCE and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. SELinux denied access requested by $SOURCE. The current boolean settings do not allow this access. If you have not setup $SOURCE to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. SELinux has denied $SOURCE "$ACCESS" access to device $TARGET_PATH. $TARGET_PATH is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v '$TARGET_PATH'. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a bug report. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for $TARGET_PATH, you can use chcon -t SIMILAR_TYPE '$TARGET_PATH', If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE '$FIX_TARGET_PATH' If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a bug report against this application. Attempt restorecon -v '$TARGET_PATH' or chcon -t SIMILAR_TYPE '$TARGET_PATH' Changing the "$BOOLEAN" boolean to true will allow this access: "setsebool -P $BOOLEAN=1" Changing the "$BOOLEAN" boolean to true will allow this access: "setsebool -P $BOOLEAN=1." Changing the "allow_ftpd_use_nfs" boolean to true will allow this access: "setsebool -P allow_ftpd_use_nfs=1." Changing the file_context to mnt_t will allow mount to mount the file system: "chcon -t mnt_t '$TARGET_PATH'." You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t mnt_t '$FIX_TARGET_PATH'" Confined domains should not require "sys_resource". This usually means that your system is running out some system resource like disk space, memory, quota etc. Please clear up the disk and this AVC message should go away. If this AVC continues after you clear up the disk space, please report this as a bug. Confined processes can be configured to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. If httpd scripts should be allowed to write to public directories you need to turn on the $BOOLEAN boolean and change the file context of the public directory to public_content_rw_t. Read the httpd_selinux man page for further information: "setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t " You must also change the default file context labeling files on the system in order to preserve public directory labeling even on a full relabel. "semanage fcontext -a -t public_content_rw_t " If you trust $TARGET_PATH to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '$TARGET_PATH'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH'" If you want $SOURCE to continue, you must turn on the $BOOLEAN boolean. Note: This boolean will affect all applications on the system. If you want httpd to send mail you need to turn on the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1" If you want to allow $SOURCE to bind to port $PORT_NUMBER, you can execute # semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER where PORT_TYPE is one of the following: %s. If this system is running as an NIS Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P allow_ypbind=1. If you want to allow $SOURCE to connect to $PORT_NUMBER, you can execute # sandbox -X -t sandbox_net_t $SOURCE If you want to allow $SOURCE to connect to $PORT_NUMBER, you can execute # semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER where PORT_TYPE is one of the following: %s. If you want to change the file context of $TARGET_PATH so that the automounter can execute it you can execute "chcon -t bin_t $TARGET_PATH". If you want this to survive a relabel, you need to permanently change the file context: execute "semanage fcontext -a -t bin_t '$FIX_TARGET_PATH'". SELinux denied $SOURCE access to $TARGET_PATH. If this is a swapfile, it has to have a file context label of swapfile_t. If you did not intend to use $TARGET_PATH as a swapfile, this message could indicate either a bug or an intrusion attempt. SELinux denied RSYNC access to $TARGET_PATH. If this is an RSYNC repository, it has to have a file context label of rsync_data_t. If you did not intend to use $TARGET_PATH as an RSYNC repository, this message could indicate either a bug or an intrusion attempt. SELinux denied access requested by $SOURCE. $SOURCE_PATH may be mislabeled. $SOURCE_PATH default SELinux type is %s, but its current type is $SOURCE_TYPE. Changing this file back to the default type may fix your problem.

This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not have been labeled with this type.

If you believe this is a bug, please file a bug report against this package. SELinux denied access requested by $SOURCE. $TARGET_PATH may be mislabeled. $TARGET_PATH default SELinux type is %s, but its current type is $TARGET_TYPE. Changing this file back to the default type may fix your problem.

File contexts can be assigned to a file in the following ways.

  • Files created in a directory receive the file context of the parent directory by default.
  • The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhcpc_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this.
  • Users can change the file context on a file using tools such as chcon, or restorecon.
This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not have been labeled with this type.

If you believe this is a bug, please file a bug report against this package. SELinux denied access requested by $SOURCE. $TARGET_PATH may be mislabeled. openvpn is allowed to read content in home directory if it is labeled correctly. SELinux denied access requested by $SOURCE. $TARGET_PATH may be mislabeled. sshd is allowed to read content in /root/.ssh directory if it is labeled correctly. SELinux denied access requested by $SOURCE. It is not expected that this access is required by $SOURCE and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. SELinux denied access requested by $SOURCE. It is not expected that this access is required by $SOURCE and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. mozplugger and spice-xpi run applications within mozilla-plugins that require access to the desktop, that the mozilla_plugin lockdown will not allow, so either you need to turn off the mozilla_plugin lockdown or not use these packages. SELinux denied access requested by $SOURCE. It is not expected that this access is required by $SOURCE and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. spice-xpi run applications within mozilla-plugins that require access to the desktop, that the mozilla_plugin lockdown will not allow, so either you need to turn off the mozilla_plugin lockdown or not use these packages. SELinux denied access requested by the $SOURCE command. It looks like this is either a leaked descriptor or $SOURCE output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the $TARGET_PATH. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. SELinux denied access to $TARGET_PATH requested by $SOURCE. $TARGET_PATH has a context used for sharing by a different program. If you would like to share $TARGET_PATH from $SOURCE also, you need to change its file context to public_content_t. If you did not intend to allow this access, this could signal an intrusion attempt. SELinux denied cvs access to $TARGET_PATH. If this is a CVS repository it needs to have a file context label of cvs_data_t. If you did not intend to use $TARGET_PATH as a CVS repository it could indicate either a bug or it could signal an intrusion attempt. SELinux denied samba access to $TARGET_PATH. If you want to share this directory with samba it has to have a file context label of samba_share_t. If you did not intend to use $TARGET_PATH as a samba repository, this message could indicate either a bug or an intrusion attempt. Please refer to 'man samba_selinux' for more information on setting up Samba and SELinux. SELinux denied svirt access to $TARGET_PATH. If this is a virtualization image, it has to have a file context label of virt_image_t. The system is setup to label image files in directory./var/lib/libvirt/images correctly. We recommend that you copy your image file to /var/lib/libvirt/images. If you really want to have your image files in the current directory, you can relabel $TARGET_PATH to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this new path to the system defaults. If you did not intend to use $TARGET_PATH as a virtualization image it could indicate either a bug or an intrusion attempt. SELinux denied svirt access to the block device $TARGET_PATH. If this is a virtualization image, it needs to be labeled with a virtualization file context (virt_image_t). You can relabel $TARGET_PATH to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this new path to the system defaults. If you did not intend to use $TARGET_PATH as a virtualization image it could indicate either a bug or an intrusion attempt. SELinux denied xen access to $TARGET_PATH. If this is a XEN image, it has to have a file context label of xen_image_t. The system is setup to label image files in directory /var/lib/xen/images correctly. We recommend that you copy your image file to /var/lib/xen/images. If you really want to have your xen image files in the current directory, you can relabel $TARGET_PATH to be xen_image_t using chcon. You also need to execute semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH' to add this new path to the system defaults. If you did not intend to use $TARGET_PATH as a xen image it could indicate either a bug or an intrusion attempt. SELinux has denied $SOURCE from connecting to a network port $PORT_NUMBER which does not have an SELinux type associated with it. If $SOURCE should be allowed to connect on $PORT_NUMBER, use the semanage command to assign $PORT_NUMBER to a port type that $SOURCE_TYPE can connect to (%s). If $SOURCE is not supposed to connect to $PORT_NUMBER, this could signal an intrusion attempt. SELinux has denied $SOURCE from connecting to a network port $PORT_NUMBER within a sandbox. If $SOURCE should be allowed to connect on $PORT_NUMBER, you need to use a different sandbox type like sandbox_web_t or sandbox_net_t. # sandbox -X -t sandbox_net_t $SOURCE If $SOURCE is not supposed to connect to $PORT_NUMBER, this could signal an intrusion attempt. SELinux has denied the $SOURCE access to potentially mislabeled files $TARGET_PATH. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, %s. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. SELinux has denied the $SOURCE from binding to a network port $PORT_NUMBER which does not have an SELinux type associated with it. If $SOURCE should be allowed to listen on $PORT_NUMBER, use the semanage command to assign $PORT_NUMBER to a port type that $SOURCE_TYPE can bind to (%s). If $SOURCE is not supposed to bind to $PORT_NUMBER, this could signal an intrusion attempt. SELinux has denied the $SOURCE the ability to mmap low area of the kernel address space. The ability to mmap a low area of the address space is configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps protect against exploiting null deref bugs in the kernel. All applications that need this access should have already had policy written for them. If a compromised application tries to modify the kernel, this AVC would be generated. This is a serious issue. Your system may very well be compromised. SELinux has denied the $SOURCE_PATH from executing potentially mislabeled files $TARGET_PATH. Automounter can be setup to execute configuration files. If $TARGET_PATH is an automount executable configuration file it needs to have a file label of bin_t. If automounter is trying to execute something that it is not supposed to, this could indicate an intrusion attempt. SELinux has denied the http daemon from sending mail. An httpd script is trying to connect to a mail port or execute the sendmail command. If you did not setup httpd to sendmail, this could signal an intrusion attempt. SELinux has prevented $SOURCE from loading a kernel module. All confined programs that need to load kernel modules should have already had policy written for them. If a compromised application tries to modify the kernel this AVC will be generated. This is a serious issue. Your system may very well be compromised. SELinux has prevented $SOURCE from modifying $TARGET. This denial indicates $SOURCE was trying to modify the selinux policy configuration. All applications that need this access should have already had policy written for them. If a compromised application tries to modify the SELinux policy this AVC will be generated. This is a serious issue. Your system may very well be compromised. SELinux has prevented $SOURCE from modifying $TARGET. This denial indicates $SOURCE was trying to modify the way the kernel runs or to actually insert code into the kernel. All applications that need this access should have already had policy written for them. If a compromised application tries to modify the kernel this AVC will be generated. This is a serious issue. Your system may very well be compromised. SELinux has prevented $SOURCE from writing to a file under /sys/fs/selinux. Files under /sys/fs/selinux control the way SELinux is configured. All programs that need to write to files under /sys/fs/selinux should have already had policy written for them. If a compromised application tries to turn off SELinux this AVC will be generated. This is a serious issue. Your system may very well be compromised. SELinux has prevented vbetool from performing an unsafe memory operation. SELinux has prevented wine from performing an unsafe memory operation. SELinux is preventing $SOURCE from creating a file with a context of $SOURCE_TYPE on a filesystem. Usually this happens when you ask the cp command to maintain the context of a file when copying between file systems, "cp -a" for example. Not all file contexts should be maintained between the file systems. For example, a read-only file type like iso9660_t should not be placed on a r/w system. "cp -p" might be a better solution, as this will adopt the default file context for the destination. SELinux is preventing $SOURCE_PATH "$ACCESS" access on $TARGET_PATH. SELinux is preventing $SOURCE_PATH "$ACCESS" access to $TARGET_PATH. SELinux is preventing $SOURCE_PATH "$ACCESS" access to device $TARGET_PATH. SELinux is preventing $SOURCE_PATH "$ACCESS" to $TARGET_PATH. SELinux is preventing $SOURCE_PATH access to a leaked $TARGET_PATH file descriptor. SELinux is preventing $SOURCE_PATH from binding to port $PORT_NUMBER. SELinux is preventing $SOURCE_PATH from changing the access protection of memory on the heap. SELinux is preventing $SOURCE_PATH from connecting to port $PORT_NUMBER. SELinux is preventing $SOURCE_PATH from creating a file with a context of $SOURCE_TYPE on a filesystem. SELinux is preventing $SOURCE_PATH from loading $TARGET_PATH which requires text relocation. SELinux is preventing $SOURCE_PATH from making the program stack executable. SELinux is preventing $SOURCE_PATH the "$ACCESS" capability. SELinux is preventing $SOURCE_PATH the "sys_resource" capability. SELinux is preventing Samba ($SOURCE_PATH) "$ACCESS" access to $TARGET_PATH. SELinux is preventing access to a file labeled unlabeled_t. SELinux is preventing cvs ($SOURCE_PATH) "$ACCESS" access to $TARGET_PATH SELinux is preventing the $SOURCE_PATH from executing potentially mislabeled files $TARGET_PATH. SELinux is preventing the http daemon from sending mail. SELinux is preventing xen ($SOURCE_PATH) "$ACCESS" access to $TARGET_PATH. SELinux permission checks on files labeled unlabeled_t are being denied. unlabeled_t is a context the SELinux kernel gives to files that do not have a label. This indicates a serious labeling problem. No files on an SELinux box should ever be labeled unlabeled_t. If you have just added a disk drive to the system, you can relabel it using the restorecon command. For example if you saved the home directory from a previous installation that did not use SELinux, 'restorecon -R -v /home' will fix the labels. Otherwise you should relabel the entire file system. SELinux policy is preventing an httpd script from writing to a public directory. SELinux policy is preventing an httpd script from writing to a public directory. If httpd is not setup to write to public directories, this could signal an intrusion attempt. SELinux prevented $SOURCE from mounting a filesystem on the file or directory "$TARGET_PATH" of type "$TARGET_TYPE". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "$TARGET_TYPE" does not have this attribute. You can change the label of the file or directory. SELinux prevented $SOURCE from mounting on the file or directory "$TARGET_PATH" (type "$TARGET_TYPE"). SELinux prevented httpd $ACCESS access to $TARGET_PATH. httpd scripts are not allowed to write to content without explicit labeling of all files. If $TARGET_PATH is writable content. it needs to be labeled httpd_sys_rw_content_t or if all you need is append you can label it httpd_sys_ra_content_t. Please refer to 'man httpd_selinux' for more information on setting up httpd and selinux. SELinux prevented httpd $ACCESS access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the $BOOLEAN turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is read only content, it needs to be labeled httpd_TYPE_content_t. If it is writable content, it needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon command to change these context. Please refer to the man page "man httpd_selinux" or FAQ "TYPE" refers to one of "sys", "user" or "staff" or potentially other script types. SELinux prevented httpd $ACCESS access to http files. SELinux prevented the ftp daemon from $ACCESS files stored on a CIFS filesystem. SELinux prevented the ftp daemon from $ACCESS files stored on a CIFS filesystem. CIFS (Comment Internet File System) is a network filesystem similar to SMB (http://www.microsoft.com/mind/1196/cifs.asp) The ftp daemon attempted to read one or more files or directories from a mounted filesystem of this type. As CIFS filesystems do not support fine-grained SELinux labeling, all files and directories in the filesystem will have the same security context. If you have not configured the ftp daemon to read files from a CIFS filesystem this access attempt could signal an intrusion attempt. SELinux prevented the ftp daemon from $ACCESS files stored on a NFS filesystem. SELinux prevented the ftp daemon from $ACCESS files stored on a NFS filesystem. NFS (Network Filesystem) is a network filesystem commonly used on Unix / Linux systems. The ftp daemon attempted to read one or more files or directories from a mounted filesystem of this type. As NFS filesystems do not support fine-grained SELinux labeling, all files and directories in the filesystem will have the same security context. If you have not configured the ftp daemon to read files from a NFS filesystem this access attempt could signal an intrusion attempt. Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. The $SOURCE application attempted to change the access protection of memory on the heap (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If $SOURCE does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package. The $SOURCE application attempted to load $TARGET_PATH which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow $TARGET_PATH to use relocation as a workaround, until the library is fixed. Please file a bug report. The $SOURCE application attempted to load $TARGET_PATH which requires text relocation. This is a potential security problem. Most libraries should not need this permission. The SELinux Memory Protection Tests web page explains this check. This tool examined the library and it looks like it was built correctly. So setroubleshoot can not determine if this application is compromised or not. This could be a serious issue. Your system may very well be compromised. Contact your security administrator and report this issue. The $SOURCE application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If $SOURCE does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report. Use a command like "cp -p" to preserve all permissions except SELinux context. You can alter the file context by executing chcon -R -t cvs_data_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t cvs_data_t '$FIX_TARGET_PATH'" You can alter the file context by executing chcon -R -t rsync_data_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t rsync_data_t '$FIX_TARGET_PATH'" You can alter the file context by executing chcon -R -t samba_share_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH'" You can alter the file context by executing chcon -t public_content_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t public_content_t '$FIX_TARGET_PATH'" You can alter the file context by executing chcon -t swapfile_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t swapfile_t '$FIX_TARGET_PATH'" You can alter the file context by executing chcon -t virt_image_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'" You can alter the file context by executing chcon -t xen_image_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH'" You can execute the following command as root to relabel your computer system: "touch /.autorelabel; reboot" You can generate a local policy module to allow this access - see FAQ Please file a bug report. You can generate a local policy module to allow this access - see FAQ You can restore the default system context to this file by executing the restorecon command. # restorecon -R /root/.ssh You can restore the default system context to this file by executing the restorecon command. # restorecon -R /root/.ssh You can restore the default system context to this file by executing the restorecon command. restorecon '$SOURCE_PATH'. You can restore the default system context to this file by executing the restorecon command. restorecon '$TARGET_PATH', if this file is a directory, you can recursively restore using restorecon -R '$TARGET_PATH'. Your system may be seriously compromised! Your system may be seriously compromised! $SOURCE_PATH attempted to mmap low kernel memory. Your system may be seriously compromised! $SOURCE_PATH tried to load a kernel module. Your system may be seriously compromised! $SOURCE_PATH tried to modify SELinux enforcement. Your system may be seriously compromised! $SOURCE_PATH tried to modify kernel configuration. Disable IPV6 properly. Either remove the mozplluger package by executing 'yum remove mozplugger' Or turn off enforcement of SELinux over the Firefox plugins. setsebool -P unconfined_mozilla_plugin_transition 0 Either remove the mozplugger or spice-xpi package by executing 'yum remove mozplugger spice-xpi' or turn off enforcement of SELinux over the Firefox plugins. setsebool -P unconfined_mozilla_plugin_transition 0 Either remove the mozplugger or spice-xpi package by executing 'yum remove mozplugger spice-xpi', or turn off enforcement of SELinux over the Chrome plugins. setsebool -P unconfined_chrome_sandbox_transition 0 If you decide to continue to run the program in question you will need to allow this operation. This can be done on the command line by executing: # setsebool -P mmap_low_allowed 1 SELinux denied an operation requested by $SOURCE, a program used to alter video hardware state. This program is known to use an unsafe operation on system memory but so are a number of malware/exploit programs which masquerade as vbetool. This tool is used to reset video state when a machine resumes from a suspend. If your machine is not resuming properly your only choice is to allow this operation and reduce your system security against such malware. SELinux denied an operation requested by wine-preloader, a program used to run Windows applications under Linux. This program is known to use an unsafe operation on system memory but so are a number of malware/exploit programs which masquerade as wine. If you were attempting to run a Windows program your only choices are to allow this operation and reduce your system security against such malware or to refrain from running Windows applications under Linux. If you were not attempting to run a Windows application this indicates you are likely being attacked by some for of malware or program trying to exploit your system for nefarious purposes. Please refer to http://wiki.winehq.org/PreloaderPageZeroProblem Which outlines the other problems wine encounters due to its unsafe use of memory and solutions to those problems. Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. You tried to place a type on a %s that is not a file type. This is not allowed, you must assigne a file type. You can list all file types using the seinfo command. seinfo -afile_type -x Changing the "$BOOLEAN" and "$WRITE_BOOLEAN" booleans to true will allow this access: "setsebool -P $BOOLEAN=1 $WRITE_BOOLEAN=1". warning: setting the "$WRITE_BOOLEAN" boolean to true will allow the ftp daemon to write to all public content (files and directories with type public_content_t) in addition to writing to files and directories on CIFS filesystems. Changing the "allow_ftpd_use_nfs" and "ftpd_anon_write" booleans to true will allow this access: "setsebool -P allow_ftpd_use_nfs=1 ftpd_anon_write=1". warning: setting the "ftpd_anon_write" boolean to true will allow the ftp daemon to write to all public content (files and directories with type public_content_t) in addition to writing to files and directories on NFS filesystems. # ausearch -x $SOURCE_PATH --raw | audit2allow -D -M my-$SOURCE # semodule -X 300 -i my-$SOURCE.pp# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH' where FILE_TYPE is one of the following: %s. Then execute: restorecon -v '$FIX_TARGET_PATH' # semanage fcontext -a -t SIMILAR_TYPE '$FIX_TARGET_PATH' # restorecon -v '$FIX_TARGET_PATH'# semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH%s' # restorecon %s -v '$FIX_TARGET_PATH'# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' # restorecon -v '$FIX_TARGET_PATH'# semanage port -a -t %s -p %s $PORT_NUMBER# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER where PORT_TYPE is one of the following: %s.A process might be attempting to hack into your system.Add net.ipv6.conf.all.disable_ipv6 = 1 to /etc/sysctl.conf Allow this access for now by executing: # ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME # semodule -X 300 -i my-$MODULE_NAME.ppChange file context.Change labelChange label on the library.Change the file label to xen_image_t.Contact your security administrator and report this issue.Disable SELinux controls on Chrome pluginsEnable booleansEnable booleans.If $TARGET_BASE_PATH is a virtualization targetIf $TARGET_BASE_PATH should be shared via the RSYNC daemonIf $TARGET_BASE_PATH should be shared via the cvs daemonIf you believe $SOURCE_BASE_PATH should be allowed to create $TARGET_BASE_PATH filesIf you believe $SOURCE_PATH tried to disable SELinux.If you believe that %s should not require execstackIf you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on $TARGET_CLASS labeled $TARGET_TYPE by default.If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on processes labeled $TARGET_TYPE by default.If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on the $TARGET_BASE_PATH $TARGET_CLASS by default.If you believe that $SOURCE_BASE_PATH should have the $ACCESS capability by default.If you did not directly cause this AVC through testing.If you do not believe that $SOURCE_PATH should be attempting to modify the kernel by loading a kernel module.If you do not believe your $SOURCE_PATH should be modifying the kernel, by loading kernel modulesIf you do not think $SOURCE_BASE_PATH should try $ACCESS access on $TARGET_BASE_PATH.If you do not think $SOURCE_PATH should need to map heap memory that is both writable and executable.If you do not think $SOURCE_PATH should need to map stack memory that is both writable and executable.If you do not think $SOURCE_PATH should need to mmap low memory in the kernel.If you do not want processes to require capabilities to use up all the system resources on your system;If you think this is caused by a badly mislabeled machine.If you want to %sIf you want to allow $SOURCE_BASE_PATH to mount on $TARGET_BASE_PATH.If you want to allow $SOURCE_PATH to be able to write to shared public contentIf you want to allow $SOURCE_PATH to bind to network port $PORT_NUMBERIf you want to allow $SOURCE_PATH to connect to network port $PORT_NUMBERIf you want to allow ftpd to write to cifs file systemsIf you want to allow ftpd to write to nfs file systemsIf you want to allow httpd to execute cgi scripts and to unify HTTPD handling of all content files.If you want to allow httpd to send mailIf you want to change the label of $TARGET_PATH to %s, you are not allowed to since it is not a valid file type.If you want to disable IPV6 on this machineIf you want to fix the label. $SOURCE_PATH default label should be %s.If you want to fix the label. $TARGET_PATH default label should be %s.If you want to help identify if domain needs this access or you have a file with the wrong permissions on your systemIf you want to ignore $SOURCE_BASE_PATH trying to $ACCESS access the $TARGET_BASE_PATH $TARGET_CLASS, because you believe it should not need this access.If you want to ignore this AVC because it is dangerous and your machine seems to be working correctly.If you want to ignore this AVC because it is dangerous and your wine applications are working correctly.If you want to modify the label on $TARGET_BASE_PATH so that $SOURCE_BASE_PATH can have $ACCESS access on itIf you want to mv $TARGET_BASE_PATH to standard location so that $SOURCE_BASE_PATH can have $ACCESS accessIf you want to to continue using SELinux Firefox plugin containment rather then using mozplugger packageIf you want to treat $TARGET_BASE_PATH as public contentIf you want to use the %s packageRelabel the whole file system. Includes reboot!Restore ContextRestore ContextSELinux is preventing $SOURCE_PATH "$ACCESS" access.Set the image label to virt_image_t.This is caused by a newly created file system.Try to fix the label.Turn off memory protectionYou can read '%s' man page for more details.You might have been hacked.You must tell SELinux about this by enabling the '%s' boolean. You need to change the label on $FIX_TARGET_PATHYou need to change the label on $TARGET_BASE_PATHYou need to change the label on $TARGET_BASE_PATH to public_content_t or public_content_rw_t.You need to change the label on $TARGET_BASE_PATH'You need to change the label on $TARGET_PATH to a type of a similar device.You need to change the label on '$FIX_TARGET_PATH'You should report this as a bug. You can generate a local policy module to allow this access.You should report this as a bug. You can generate a local policy module to dontaudit this access.execstack -c %sif you think that you might have been hackedsetsebool -P %s %sturn on full auditing to get path information about the offending file and generate the error again.use a command like "cp -p" to preserve all permissions except SELinux context.you can run restorecon.you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.you may be under attack by a hacker, since confined applications should never need this access.you may be under attack by a hacker, since confined applications should not need this access.you may be under attack by a hacker, this is a very dangerous access.you must change the labeling on $TARGET_PATH.you must fix the labels.you must move the cert file to the ~/.cert directoryyou must pick a valid file label.you must remove the mozplugger package.you must setup SELinux to allow thisyou must tell SELinux about thisyou must tell SELinux about this by enabling the 'httpd_unified' and 'http_enable_cgi' booleansyou must tell SELinux about this by enabling the vbetool_mmap_zero_ignore boolean.you must tell SELinux about this by enabling the wine_mmap_zero_ignore boolean.you must turn off SELinux controls on the Chrome plugins.you must turn off SELinux controls on the Firefox plugins.you need to add labels to it.you need to change the label on $TARGET_PATH to public_content_rw_t, and potentially turn on the allow_httpd_sys_script_anon_write boolean.you need to diagnose why your system is running out of system resources and fix the problem. According to /usr/include/linux/capability.h, sys_resource is required to: /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ you need to fully relabel.you need to modify the sandbox type. sandbox_web_t or sandbox_net_t. For example: sandbox -X -t sandbox_net_t $SOURCE_PATH Please read 'sandbox' man page for more details. you need to report a bug. This is a potentially dangerous access.you need to report a bug. This is a potentially dangerous access.you need to set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and do not blacklist the module'you need to use a different command. You are not allowed to preserve the SELinux context on the target file system.you should clear the execstack flag and see if $SOURCE_PATH works correctly. Report this as a bug on %s. You can clear the exestack flag by executing:Project-Id-Version: PACKAGE VERSION Report-Msgid-Bugs-To: PO-Revision-Date: 2020-09-03 13:29+0000 Last-Translator: Göran Uddeborg Language-Team: Swedish Language: sv MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Plural-Forms: nplurals=2; plural=n != 1; X-Generator: Weblate 4.2.2 förmĂ„gorna dac_override och dac_read_search indikerar vanligen att root-processen inte har tillgĂ„ng till en fil baserat pĂ„ rĂ€ttighetsflaggorna. Detta betyder vanligen att du har nĂ„gon fil med fel Ă€gare/rĂ€ttigheter pĂ„ sig. SELinux nekade Ă„tkomst begĂ€rd av $SOURCE. Det Ă€r inte förvĂ€ntat att denna Ă„tkomst skall behövas av $SOURCE och denna Ă„tkomst kan vara tecken pĂ„ ett intrĂ„ngsförsök. Det Ă€r ocksĂ„ möjligt att den specifika versionen eller konfigurationen av programmet orsakar att det behöver ytterligare Ă„tkomst. SELinux nekade Ă„tkomst begĂ€rd av $SOURCE. De aktuella instĂ€llningarna av booleaner tillĂ„ter inte denna Ă„tkomst. Om du inte satt upp $SOURCE till att behöva denna Ă„tkomst kan detta vara tecken pĂ„ ett intrĂ„ngsförsök. Om denna Ă„tkomst Ă€r avsiktlig behöver du Ă€ndra booleanerna pĂ„ systemet till att tillĂ„ta Ă„tkomsten. SELinux har nekat $SOURCE "$ACCESS"-Ă„tkomst till enheten $TARGET_PATH. $TARGET_PATH Ă€r felmĂ€rkt, denna enhet har standardetiketten för katalogen /dev, och sĂ„ skall det inte vara. Alla tecken- och/eller blockenheter skall ha en etikett. Du kan försöka att Ă€ndra etiketten pĂ„ filen genom att anvĂ€nda restorecon -v '$TARGET_PATH'. Om denna enhet fortsĂ€tter vara mĂ€rkt device_t, sĂ„ Ă€r detta ett fel i SELinux-policyn. Skicka gĂ€rna en felrapport. Om du tittar pĂ„ andra liknande enhetsetiketter, ls -lZ /dev/LIKNANDE, och hittar en typ som skulle fungera för $TARGET_PATH, kan du anvĂ€nda chcon -t LIKNANDE_TYP '$TARGET_PATH', Om detta rĂ€ttar problemet, kan du göra detta permanent genom att köra semanage fcontext -a -t LIKNANDE_TYP '$FIX_TARGET_PATH' Om restorecon Ă€ndrar kontexten, kan detta indikera att programmet som skapade enheten, skapade den utan att anvĂ€nda SELinux API:er. Om du kan lista ut vilket program som skapade enheten, skicka dĂ„ gĂ€rna en felrapport mot detta program. Försök med restorecon -v '$TARGET_PATH' eller chcon -t LIKNANDE_TYP '$TARGET_PATH' Ändra "$BOOLEAN" flaggan till sant för att tillĂ„ta denna Ă„tkomst: "setsebool -P $BOOLEAN=1" Ändra "$BOOLEAN" flaggan till sant för att tillĂ„ta denna Ă„tkomst: "setsebool -P $BOOLEAN=1" Ändra "allow_ftpd_use_nfs" flaggan för att tillĂ„ta denna Ă„tkomst: "setsebool -P allow_ftpd_use_nfs=1." Att Ă€ndra filkontexten till mnt_t kommer tillĂ„ta mount att monter filsystemet: "chcon -t mnt_t '$TARGET_PATH'." Du mĂ„ste ocksĂ„ Ă€ndra standardfilkontextfilerna pĂ„ systemet för att bevara dem Ă€ven efter en fullstĂ€ndig ometikettering. "semanage fcontext -a -t mnt_t '$FIX_TARGET_PATH'" BegrĂ€nsade domĂ€ner skall inte behöva ”sys_resource”. Detta betyder vanligen att ditt system gör slut pĂ„ nĂ„gon systemresurs som diskutrymme, minne, kvot etc. Rensa disken sĂ„ skall detta AVC-meddelande försvinna. OM denna AVC fortsĂ€tter efter att du rensat upp diskutrymmet, rapportera detta som ett fel. BegrĂ€nsade processer kan konfigureras för att krĂ€va olika Ă„tkomst, SELinux har flaggor sĂ„ att du kan slĂ„ pĂ„/av Ă„tkomst efter behov. Om httpd skript ska tillĂ„tas skriva i publika kataloger mĂ„ste du slĂ„ pĂ„ $BOOLEAN flaggan och Ă€ndra filcontext för publika katalogen till public_content_rw_t. LĂ€s httpd_selinux man sida för mer information: ”setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t ” Du mĂ„ste ocksĂ„ Ă€ndra standradfilkontexten för etiketter pĂ„ filer pĂ„ systemet för att bevara etiketteringen av publika kataloger Ă€ven efter en fullstĂ€ndig ometikettering. ”semanage fcontext -a -t public_content_rw_t ” Om du litar pĂ„ att $TARGET_PATH kör korrekt, kan du Ă€ndra filkontexten till textrel_shlib_t. "chcon -t textrel_shlib_t '$TARGET_PATH'" Du mĂ„ste ocksĂ„ Ă€ndra standradfilkontextfilerna pĂ„ systemet för att bevara dem Ă€ven efter en fullstĂ€ndig ometikettering. "semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH'" Om du vill att $SOURCE ska fortsĂ€tta, mĂ„ste du slĂ„ pĂ„ booleanen $BOOLEAN. Obs: Denna boolean pĂ„verkar alla program pĂ„ systemet. Om du vill tillĂ„ta httpd att skicka post mĂ„ste du slĂ„ pĂ„ booleanen $BOOLEAN: "setsebool -P $BOOLEAN=1" Om du vill tillĂ„ta $SOURCE att binda till port $PORT_NUMBER kan du köra # semanage port -a -t PORTTYP -p %s $PORT_NUMBER dĂ€r PORTTYP Ă€r en av följande: %s. Om detta system kör en NIS-klient kan det lösa problemet att slĂ„ pĂ„ booleanen allow_ypbind. setsebool -P allow_ypbind=1. Om du vill tillĂ„ta $SOURCE att ansluta till $PORT_NUMBER kan du köra # sandbox -X -t sandbox_net_t $SOURCE Om du vill tillĂ„ta $SOURCE att ansluta till $PORT_NUMBER kan du köra # semanage port -a -t PORTTYP -p %s $PORT_NUMBER dĂ€r PORTTYP Ă€r en av följande: %s. Om du vill Ă€ndra filkontext för $TARGET_PATH sĂ„ att automuntern kan köra den kan du köra "chcon -t bin_t $TARGET_PATH". Om du vill att detta ska överleva en ommĂ€rkning, mĂ„ste du permanent Ă€ndra filkontexten: kör "semanage fcontext -a -t bin_t '$FIX_TARGET_PATH'". SELinux nekade $SOURCE Ă„tkomst till $TARGET_PATH. Om detta Ă€r en vĂ€xlingsfil mĂ„ste den ha en filkontextetikett swapfile_t. Om du inte avsĂ„g att anvĂ€nda $TARGET_PATH som en vĂ€xlingsfil kan detta meddelande vara ett tecken antingen pĂ„ ett fel eller ett intrĂ„ngsförsök. SELinux förhindrade RSYNC Ă„tkomst till $TARGET_PATH. Om detta Ă€r ett rsync-förrĂ„d mĂ„ste det ha en filkontextmĂ€rkning med rsync_data_t. Om du inte avsĂ„g att anvĂ€nda $TARGET_PATH som ett rsync-förrĂ„d kan detta meddelande vara ett tecken pĂ„ antingen ett fel eller ett intrĂ„ngsförsök. SELinux nekade Ă„tkomst som begĂ€rdes av $SOURCE. $SOURCE_PATH kan ha fel etikett. $SOURCE_PATH standard-SELinux-typ Ă€r %s, men dess nuvarande typ Ă€r $SOURCE_TYPE. Att Ă€ndra detta tillbaka till standardtypen kan kanske lösa ditt problem.

Denna fil kan ha fÄtt fel etikett antingen pÄ grund av ett anvÀndarfel, eller om ett normalt begrÀnsat program kördes i fel domÀn.

Dock kan det ocksÄ indikera ett fel i SELinux för att filen inte borde ha blivit etiketterad med denna typ.

Om du tror att det Àr ett fel, skicka gÀrna en felrapport mot detta paket. SELinux nekade Ätkomst begÀrd av $SOURCE. $TARGET_PATH som kan vara feletiketterad. Standard SELinuxtyp för $TARGET_PATH Àr %s, men dess nuvarande typ Àr $TARGET_TYPE. Att Àndra tillbaka denna fill till des standardtyp kan lösa ditt problem.

Filkontexter kan tilltelas till en fil pÄ följande sÀtt.

  • Filer skapade i en katalog fĂ„r sin filkontext frĂ„n förĂ€ldrakatalogen som standard.
  • SELinux-policyn kan Ă„sidosĂ€tta denna standardetikett som Ă€rvs frĂ„n förĂ€ldrakatalogen genom att ange att en process som kör i kontext A som skapar en fil i en katalog med etiketten B istĂ€llet kommer skapa filen med etiketten C. Ett exempel pĂ„ detta skulle vara dhcp-klienten som kör med typen dhcpc_t och skapar en fil i katalogen /etc. Denna fil skulle normalt fĂ„ typen etc_t pĂ„ grund av arv frĂ„n förĂ€lder men istĂ€llet etiketteras filen med typen net_conf_t eftersom SELinux-policyn anger detta.
  • AnvĂ€ndare kan Ă€ndra filkontexten pĂ„ en fil med verktyg sĂ„som chcon eller restorecon.
Denna fil kan a etiketterats fel antingen pÄ grund av ett anvÀndarfel eller om ett normalt begrÀnsat program körs under fel domÀn.

Dock kan detta Àven indikera ett fel i SELinux eftersom filen inte skulle ha etiketterats med denna typ.

Om du tror det Ă€r ett fel, skapa gĂ€rna en felrapport mot detta paket. SELinux nekade Ă„tkomst begĂ€rd av $SOURCE. $TARGET_PATH kan ha fel etikett. openvpn tillĂ„ts lĂ€sa innehĂ„ll i katalogen /root/.ssh om den har rĂ€tt etikett. SELinux nekade Ă„tkomst begĂ€rd av $SOURCE. $TARGET_PATH kan ha fel etikett. sshd tillĂ„ts lĂ€sa innehĂ„ll i katalogen /root/.ssh directory om den har rĂ€tt etikett. SELinux nekade Ă„tkomst begĂ€rd av $SOURCE. Det Ă€r inte förvĂ€ntat att denna Ă„tkomst skall behövas av $SOURCE och denna Ă„tkomst kan vara tecken pĂ„ ett intrĂ„ngsförsök. Det Ă€r ocksĂ„ möjligt att den specifika versionen eller konfigurationen av programmet orsakar att det behöver ytterligare Ă„tkomst. SELinux nekade Ă„tkomst begĂ€rd av $SOURCE. Det Ă€r inte förvĂ€ntat att denna Ă„tkomst skall behövas av $SOURCE och denna Ă„tkomst kan vara tecken pĂ„ ett intrĂ„ngsförsök. Det Ă€r ocksĂ„ möjligt att den specifika versionen eller konfigurationen av programmet orsakar att det behöver ytterligare Ă„tkomst. mozplugger och spice-xpi kör program inuti mozilla-plugins som behöver komma Ă„t skrivbordet, som fastlĂ„sningen av mozilla_plugin inte tillĂ„ter, sĂ„ antingen behöver du slĂ„ av fastlĂ„sningen av mozilla_plugin eller inte anvĂ€nda dessa paket. SELinux nekade Ă„tkomst begĂ€rd av $SOURCE. Det Ă€r inte förvĂ€ntat att denna Ă„tkomst skall behövas av $SOURCE och denna Ă„tkomst kan vara tecken pĂ„ ett intrĂ„ngsförsök. Det Ă€r ocksĂ„ möjligt att den specifika versionen eller konfigurationen av programmet orsakar att det behöver ytterligare Ă„tkomst. spice-xpi kör program inuti mozilla-plugins som behöver komma Ă„t skrivbordet, som fastlĂ„sningen av mozilla_plugin inte tillĂ„ter, sĂ„ antingen behöver du slĂ„ av fastlĂ„sningen av mozilla_plugin eller inte anvĂ€nda dessa paket. SELinux nekade Ă„tkomst som begĂ€rdes av kommandot $SOURCE. Det verkar som detta antingen Ă€r en deskriptor som lĂ€ckt eller att utdata frĂ„n $SOURCE omdirigerades till en fil den inte fĂ„r lov att ha tillgĂ„ng till. LĂ€ckor kan vanligen ignoreras eftersom SELinux bara stĂ€nger lĂ€ckorna och rapporterar felet. Programmet anvĂ€nder inte deskriptorn, sĂ„ det kommer fungera som det skall. Om detta Ă€r en omdirigering kommer du inte fĂ„ utdata i $TARGET_PATH. Du bör skapa en bugzilla om selinux-policy, och den kommer sĂ€ndas vidare till berört paket. Du kan lungt bortse frĂ„n denna avc. SELinux nekade Ă„tkomst till $TARGET_PATH begĂ€rd av $SOURCE. $TARGET_PATH har en kontext som anvĂ€nds för att delas med ett annat program. Om du ocksĂ„ vill dela $TARGET_PATH frĂ„n $SOURCE, mĂ„ste du Ă€ndra dess filkontext till public_content_t. Om du inte avsĂ„g tillĂ„ta denna Ă„tkomst kan detta vara tecken pĂ„ ett intrĂ„ngsförsök. SELinux nekade cvs Ă„tkomst till $TARGET_PATH. Om detta Ă€r ett CVS-förrĂ„d behöver det ha en filkontextetikett cvs_data_t. Om du inte avsĂ„g att anvĂ€nda $TARGET_PATH som ett CVS-förrĂ„d kan det indikera antingen ett fel eller vara tecken pĂ„ ett intrĂ„ngsförsök. SELinux förhindrade samba Ă„tkomst till $TARGET_PATH. Om du vill dela denna katalog med samba mĂ„ste den ha en filkontextmĂ€rkning med samba_share_t. Om du inte avsĂ„g att anvĂ€nda $TARGET_PATH som ett samba-datalager kan detta meddelande vara ett tecken pĂ„ antingen ett fel eller ett intrĂ„ngsförsök. Se "man samba_selinux" för mer information om att stĂ€lla in Samba och SELinux. SELinux nekade svirt Ă„tkomst till $TARGET_PATH. Om detta Ă€r en virtualiseringsavbild mĂ„ste den ha en filkontextetikett virt_image_t. Systemet Ă€r uppsatt att mĂ€rka avbildsfiler i katalogen /var/lib/libvirt/images korrekt. Vi rekommenderar att man kopierar sin avbildsfil till /var/lib/libvirt/images. Om man verkligen vill ha sina avbildsfiler i den nuvarande katalogen, kan man etikettera om $TARGET_PATH till att vara virt_image_t med chcon. Man behöver ocksĂ„ köra semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' för att lĂ€gga till denna nya sökvĂ€g till systemstandarderna. Om du inte avsĂ„g anvĂ€nda $TARGET_PATH som en virtualiseringsavbild kan detta vara tecken pĂ„ antingen ett fel eller ett intrĂ„ngsförsök. SELinux nekade svirt Ă„tkomst till blockenheten $TARGET_PATH. Om detta Ă€r en virtualiseringsavbild behöver den etiketteras med en virtualiseringsfilkontext (virt_image_t). Man kan etikettera om $TARGET_PATH till att vara virt_image_t med chcon. Man behöver ocksĂ„ köra semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' för att lĂ€gga till denna nya sökvĂ€g till systemstandarderna. Om du int avsĂ„g att anvĂ€nda $TARGET_PATH som en virtualiseringsavbild kan det indikera antingen ett fel eller ett intrĂ„ngsförsök. SELinux nekade xen Ă„tkomst till $TARGET_PATH. Om detta Ă€r en XEN-avbild mĂ„ste den ha en filkontextetikett xen_image_t. Systemet Ă€r uppsatt att mĂ€rka avbildsfiler i katalogen /var/lib/xen/images korrekt. Vi rekommenderar att du kopierar din avbildsfil till /var/lib/xen/images. Om du verkligen vill ha dina xen-avbildsfiler i den nuvarande katalogen, kan du mĂ€rka om $TARGET_PATH att vara xen_image_t genom anvĂ€nda chcon. Du behöver ocksĂ„ köra semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH' för att lĂ€gga till denna nya sökvĂ€g till systemstandarden. Om du inte avsĂ„g anvĂ€nda $TARGET_PATH som en xen-avbild kan detta vara tecken pĂ„ antingen ett fel eller ett intrĂ„ngsförsök. SELinux har nekat $SOURCE att ansluta till en nĂ€tverksport $PORT_NUMBER som inte har en SELinuxtyp associerad med sig. Om $SOURCE skall kunna ansluta till $PORT_NUMBER, anvĂ€nd kommandot semanage för att tilldela $PORT_NUMBER en porttyp som $SOURCE_TYPE kan ansluta till (%s). Om $SOURCE inte skall kunna ansluta till $PORT_NUMBER, kan detta vara tecken pĂ„ ett intrĂ„ngsförsök. SELinux har nekat $SOURCE att ansluta till en nĂ€tverksport $PORT_NUMBER inuti en sandlĂ„da. Om $SOURCE skall kunna ansluta till $PORT_NUMBER behöver du anvĂ€nda en annan sandlĂ„detyp som sandbox_web_t eller sandbox_net_t. # sandbox -X -t sandbox_net_t $SOURCE Om $SOURCE inte skall kunna ansluta till $PORT_NUMBER, kan detta vara tecken pĂ„ ett intrĂ„ngsförsök. SELinux har nekat $SOURCE Ă„tkomst till potentiellt felmĂ€rkta filer $TARGET_PATH. Det betyder att SELinux inte tillĂ„ter httpd att anvĂ€nda dessa filer. Om httpd skall tillĂ„tas denna Ă„tkomst till dessa filer skall du Ă€ndra filkontexten till en av följande typer, %s. MĂ„nga tredjepartsprogram installerar html-filer i kataloger som SELinux policy inte kan förutse. Dessa kataloger mĂ„ste mĂ€rkas med en filkontext som httpd kan komma Ă„t. SELinux har nekat $SOURCE att binda till en nĂ€tverksport $PORT_NUMBER som inte har en SELinuxtyp associerad med sig. Om $SOURCE skall tillĂ„tas att lyssna pĂ„ $PORT_NUMBER, anvĂ€nd kommandot semanage för att ge $PORT_NUMBER en porttyp som $SOURCE_TYPE kan binda till (%s). Om $SOURCE inte skall kunna binda till $PORT_NUMBER, kan detta vara tecken pĂ„ ett intrĂ„ngsförsök. SELinux har nekat $SOURCE möjligheten att göra mmap pĂ„ den lĂ„ga delen av kĂ€rnans adressrymd. Möjligheten att göra mmap pĂ„ en lĂ„g del av adressrymden konfigureras i /proc/sys/kernel/mmap_min_addr. Att hindra sĂ„dana mappningar hjĂ€lper till att skydda mot utnyttjande av nollreferensfel i kĂ€rnan. Alla program som behöver denna Ă„tkomst skall redan ha policy skriven för sig. Om ett komprometterat program försökte Ă€ndra kĂ€rnan skulle denna AVC genereras. Detta Ă€r en allvarlig sak. Ditt system kan mycket vĂ€l vara komprometterat. SELinux har nekat $SOURCE_PATH frĂ„n att köra de potentiellt felmĂ€rkta filerna $TARGET_PATH. Automounter kan sĂ€ttas upp att köra konfigurationsfiler. Om $TARGET_PATH Ă€r en körbar konfiguraationsfil för automount behöver den filetiketten bin_t. Om automounter försöker köra nĂ„got som den inte ska, kan detta vara tecken pĂ„ ett intrĂ„ngsförsök. SELinux har nekat http-demonen frĂ„n att skicka post. Ett httpd-skript försöker ansluta till en postport eller köra kommandot sendmail. Om du inte satte upp httpd att skicka post, kan detta vara tecken pĂ„ ett intrĂ„ngsförsök. SELinux har hindrat $SOURCE frĂ„n att lĂ€sa in en kĂ€rnmodul. Alla begrĂ€nsade program som behöver lĂ€sa in kĂ€rnmoduler skall redan ha policy skriven för sig. Om ett komprometterat program försöker Ă€ndra kĂ€rnan kommer denna AVC genereras. Detta Ă€r en allvarlig sak. Ditt system kan mycket vĂ€l vara komprometterat. SELinux har hindrat $SOURCE frĂ„n att Ă€ndra $TARGET. Detta nekande indikerar att $SOURCE försökte Ă€ndra selinux policykonfiguration. Alla program som behöver denna Ă„tkomst bör redan ha en policy skriven för sig. Om ett komprometterat program försöker Ă€ndra SELinux policy kommer denna AVC genereras. Detta Ă€r en allvarlig sak. Ditt system kan mycket vĂ€l vara komprometterat. SELinux har hindrat $SOURCE frĂ„n att modifiera $TARGET. Detta nekande indikerar att $SOURCE försökte Ă€ndra sĂ€ttet kĂ€rnan kör eller att faktiskt lĂ€gga in kod i kĂ€rnan. Alla program som behöver denna sorts rĂ€ttigheter bör redan ha en policy skriven för sig. Om ett komprometterat program försöker Ă€ndra kĂ€rnan kommer denna AVC genereras. Detta Ă€r en allvarlig sak. Ditt system kan mycket vĂ€l vara komprometterat. SELinux hindrade $SOURCE frĂ„n att skriva till en fil under /sys/fs/selinux. Filer under /sys/fs/selinux styr hur SELinux Ă€r konfigurerat. Alla program som behöver skriva till filer under /sys/fs/selinux skall redan ha en policy skriven för sig. Om ett angripet program försöker slĂ„ av SELinux kommer denna AVC genereras. Detta Ă€r en allvarlig sak. Ditt system kan mycket vĂ€l vara angripet. SELinux har hindrat vbetool frĂ„n att utföra en osĂ€ker minnesoperation. SELinux har hindrat wine frĂ„n att utföra en osĂ€ker minnesoperation. SELinux hindrar $SOURCE frĂ„n skapa en fil med en kontexten $SOURCE_TYPE pĂ„ ett filsystem. Detta hĂ€nder oftast nĂ€r du ber cp-kommandot att bevara kontexten för en fil vid kopiering mellan filsystem. "cp -a" till exempel. Det Ă€r inte alla filkontexter som skall bevaras mellan filsystemen. Till exempel skall en skrivskyddad filtyp som iso9660_t inte sĂ€ttas i ett skrivbart system. "cp -p" kan vara en bĂ€ttre lösning, eftersom detta vill anvĂ€nda standardfilkontexten för mĂ„let. SELinux nekar $SOURCE_PATH "$ACCESS"-Ă„tkomst till $TARGET_PATH. SELinux nekar $SOURCE_PATH "$ACCESS"-Ă„tkomst till $TARGET_PATH. SELinux nekar $SOURCE_PATH "$ACCESS"-Ă„tkomst till enhet $TARGET_PATH. SELinux nekar $SOURCE_PATH "$ACCESS" till $TARGET_PATH. SELinux nekar $SOURCE_PATH Ă„tkomst till en lĂ€ckt $TARGET_PATH-fildeskriptor. SELinux hindrar $SOURCE_PATH frĂ„n att binda till port $PORT_NUMBER. SELinux hindrar $SOURCE_PATH frĂ„n att Ă€ndra pĂ„ Ă„tkomstskyddet till minne pĂ„ heapen. SELinux hindrar $SOURCE_PATH frĂ„n att ansluta till port $PORT_NUMBER. SELinux hindrar $SOURCE_PATH frĂ„n att skapa en fil med en kontext $SOURCE_TYPE pĂ„ ett filsystem. SELinux hindrar $SOURCE_PATH frĂ„n att lĂ€sa in $TARGET_PATH vilken krĂ€ver omlokalisering av text. SELinux hindrar $SOURCE_PATH frĂ„n att göra programstacken exekverbar. SELinux hindrar $SOURCE_PATH frĂ„n förmĂ„gan ”$ACCESS”. SELinux hindrar $SOURCE_PATH frĂ„n förmĂ„gan ”sys_resource”. SELinux nekar Samba ($SOURCE_PATH) "$ACCESS"-Ă„tkomst till $TARGET_PATH. SELinux hindrar Ă„tkomst till en fil med etiketten unlabeled_t. SELinux nekar ($SOURCE_PATH) "$ACCESS"-Ă„tkomst till $TARGET_PATH. SELinux hindrar $SOURCE_PATH frĂ„n köra potentiellt felmĂ€rkta filer $TARGET_PATH. SELinux hindrar http-demonen frĂ„n att skicka post. SELinux nekar xen ($SOURCE_PATH) "$ACCESS"-Ă„tkomst till enheten $TARGET_PATH. SELinux rĂ€ttighetskontroller av filer med etiketten unlabeled_t nekas unlabeled_t Ă€r en kontext som SELinux-kĂ€rnan ger till filer som inte har nĂ„gon etikett. Detta indikerar ett alvarligt etiketteringsproblem. Inga filer pĂ„ en SELinux-maskin skall nĂ„gonsin etiketteras unlabeled_t. Om du just har lagt till en disk till systemet kan du etiketter om den med kommandot restorecon. Till exempel, om du sparade hemkatalogen frĂ„n en tidigare installation som inte anvĂ€nde SELinux kommer ”restorecon -R -v /home” laga etiketterna. Annars bör du etikettera om hela filsystemet. SELinux-policyn hindrar ett httpd-skript frĂ„n att skriva till en publik katalog. SELinux-policy hindrar ett httpd-skript frĂ„n att skriva till en publik katalog. Om httpd inte Ă€r uppsatt att skriva till publika kataloger, kan detta vara tecken pĂ„ ett intrĂ„ngsförsök. SELinux hindrade $SOURCE frĂ„n att montera ett filsystem pĂ„ filen eller katalogen "$TARGET_PATH" av typen "$TARGET_TYPE". Som standard begrĂ€nsar SELinux monteringen av filsystem till endast nĂ„gra filer eller kataloger (de med typer som har attributet mountpoint). Typen "$TARGET_TYPE" har inte detta attribut. Du kan Ă€ndra mĂ€rkningen för filen eller katalogen. SELinux hindrade $SOURCE frĂ„n att montera filen eller katalogen "$TARGET_PATH" (typ "$TARGET_TYPE"). SELinux nekade httpd $ACCESS-Ă„tkomst till $TARGET_PATH. httpd-skript tillĂ„ts inte att skriva innehĂ„ll utan uttrycklig etikett pĂ„ alla filer. Om $TARGET_PATH Ă€r skrivbart innehĂ„ll, behöver den ha etiketten httpd_sys_rw_content_t eller om allt du behöver Ă€r att lĂ€gga till kan du sĂ€tta etiketten httpd_sys_ra_content_t pĂ„ den. Se "man httpd_selinux" för mer information om att stĂ€lla in httpd och selinux. SELinux nekade httpd Ă„tkomsten $ACCESS till http-filer. Normalt har httpd full tillgĂ„ng till alla filer etiketterade med kontexten http. Denna maskin har en strĂ€ngare sĂ€kerhetspolicy med $BOOLEAN avslaget, detta krĂ€ver en uttrycklig etikettering av alla filer. Om en fil Ă€r ett cgi-skript behöver den etiketteras med httpd_TYP_script_exec_t för att kunna köras. Om det Ă€r endast lĂ€sbart innehĂ„ll, behöver den etiketteras httpd_TYP_content_t. Om det Ă€r skrivbart innehĂ„ll behöver den etiketteras httpd_TYPE_script_rw_t eller httpd_TYP_script_ra_t. Du kan anvĂ€nda kommandot chcon för att Ă€ndra dessa kontexter. Se manualsidan "man httpd_selinux" eller FAQ "TYP" refererar till en av ”sys”, ”user” eller ”staff” eller potentiellt andra skripttyper. SELinux nekade httpd ($SOURCE_PATH) "$ACCESS"-Ă„tkomst till http-filer. SELinux förhindrade ftp-demonen frĂ„n $ACCESS filer lagrade pĂ„ ett CIFS filsystem. SELinux förhindrade ftp demonen frĂ„n $ACCESS filer lagrade pĂ„ ett CIFS filsystem. CIFS (Comment Internet File System) Ă€r ett nĂ€tverks-filsystem liknande SMB (http://www.microsoft.com/mind/1196/cifs.asp) ftp demonen försökte lĂ€sa en eller flera kataloger frĂ„n ett monterat filsystem av denna typ. DĂ„ CIFS-filsystem inte stöder finkornig SELinux-mĂ€rkning, kommer alla filer och kataloger i filsystemet ha samma sĂ€kerhetskontext. Om du inte har konfigurerat ftp-demonen att lĂ€sa filer frĂ„n ett CIFS filsystem kan detta försök vara ett intrĂ„ngsförsök. SELinux förhindrade ftp demonen frĂ„n $ACCESS filer sparade pĂ„ ett NFS filsystem. SELinux förhindrade ftp demonen frĂ„n $ACCESS filer sparade pĂ„ ett NFS filsystem. NFS (Network Filesystem) Ă€r ett nĂ€tverksfilsystem vanligt anvĂ€nt pĂ„ Unix / Linux system. ftp demonen försökte lĂ€sa en eller flera filer eller kataloger frĂ„n ett monterat filsystem av denna typ. Ett NFS-filsystem stöder inte finkornig SELinux mĂ€rkning, alla filer och kataloger i filsystemet kommer ha samma sĂ€kerhets-context. Om du inte har konfigurerat ftp-demonen att filer frĂ„n ett NFS filsystem detta Ă„tkomstförsök kan signalera ett intrĂ„ngsförsök. Ibland mĂ€rks ett bibliotek av misstag med execstack-flaggan, om du hittar ett bibliotek med denna flagga kan du nollstĂ€lla den med execstack -c LIBRARY_PATH. Försök sedan köra programmet igen. Om det fortsĂ€tter att inte fungera, kan du slĂ„ pĂ„ flaggan igen med execstac -s LIBRARY_PATH. Programmet $SOURCE försökte Ă€ndra Ă„tkomstskyddet till minne pĂ„ heapen (t.ex. allokerat med malloc). Detta Ă€r ett potentiellt sĂ€kerhetsproblem. Program ska inte göra detta. Program Ă€r ibland felkodade och behöver denna rĂ€ttighet. Webbsidan SELinux minnesskyddstester förklarar hur man tar bort detta krav. Om $SOURCE inte fungerar och du behöver fĂ„ det fungera, kan du konfigurera SELinux att tillfĂ€lligt tillĂ„ta denna Ă„tkomst tills programmet Ă€r rĂ€ttat. Skriv en felrapport mot detta paket. Programmet $SOURCE försökte ladda $TARGET_PATH vilket krĂ€ver text omlokalisering. Det kan vara ett sĂ€kerhetsproblem. De flesta bibliotek behöver inte denna rĂ€ttighet. Bibliotek Ă€r ibland felkodade och behöver denna rĂ€ttighet. Webbsidan SELinux minnesskyddstester förklarar hur man tar bort detta behov. Du kan konfigurera SELinux att tillfĂ€lligt tillĂ„ta $TARGET_PATH att anvĂ€nda omlokalisering som ett sĂ€tt att gĂ„ runt problemet, tills biblioteket Ă€r rĂ€ttat. Skriv gĂ€rna en felrapport. Programmet $SOURCE försökte lĂ€sa in $TARGET_PATH vilket krĂ€ver textomlokalisering. Det Ă€r ett potentiellt sĂ€kerhetsproblem. De flesta bibliotek behöver inte denna rĂ€ttighet. Webbsidan SELinux minnesskyddstester förklarar denna kontroll. Detta verktyg undersökte biblioteket och det ser ut att vara korrekt byggt. SĂ„ setroubleshoot kan inte avgöra om detta program Ă€r komprometterat eller inte. Detta skulle kunna vara en allvarlig sak. Ditt system kan mycket vĂ€l vara komprometterat. Kontakta din sĂ€kerhetsadministratör och rapportera hĂ€ndelsen. Programmet $SOURCE försökte göra sin egna stack exekverbar. Detta kan vara ett sĂ€kerhetsproblem. Detta borde aldrig nĂ„gonsin vara nödvĂ€ndigt. Stackminne Ă€r inte exekverbart pĂ„ de flesta OS nuförtiden och det kommer inte att Ă€ndras. Exekverbart stackminne Ă€r ett av de största sĂ€kerhetsproblemen. Ett execstack-fel Ă€r faktiskt med största sannolikhet orsakat av elak kod. Program Ă€r ibland felkodade och behöver denna rĂ€ttighet. Webbsidan SELinux minnesskyddstester förklarar hur man tar bort detta behov. Om $SOURCE inte fungerar och du mĂ„ste fĂ„ det fungera, kan du konfigurera SELinux tillfĂ€lligt att tillĂ„ta detta tills programmet Ă€r rĂ€ttat. Skriv gĂ€rna en felrapport. AnvĂ€nd ett kommando som "cp -p" för att bevara all rĂ€ttigheter utom SELinux-kontext. Du kan Ă€ndra filkontexten genom att köra chcon -R -t cvs_data_t '$TARGET_PATH' Du mĂ„ste ocksĂ„ Ă€ndra standradfilkontextfilerna pĂ„ systemet för att bevara dem Ă€ven efter en fullstĂ€ndig ometikettering. "semanage fcontext -a -t cvs_data_t '$FIX_TARGET_PATH'" Du kan Ă€ndra filkontexten genom att köra chcon -R -t rsync_data_t '$TARGET_PATH' Du mĂ„ste ocksĂ„ Ă€ndra standardfilkontextfilerna pĂ„ systemet för att bevara dem Ă€ven efter en fullstĂ€ndig ometikettering. "semanage fcontext -a -t rsync_data_t '$FIX_TARGET_PATH'" Du kan Ă€ndra filkontexten genom att köra chcon -R -t samba_share_t '$TARGET_PATH' Du mĂ„ste ocksĂ„ Ă€ndra standardfilkontextfilerna pĂ„ systemet för att bevara dem Ă€ven efter en fullstĂ€ndig ometikettering. "semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH'" Du kan Ă€ndra filkontexten genom att köra chcon -t public_content_t '$TARGET_PATH' Du mĂ„ste ocksĂ„ Ă€ndra standardfilkontextfilerna pĂ„ systemet för att bevara dem Ă€ven efter en fullstĂ€ndig ometikettering. "semanage fcontext -a -t public_content_t '$FIX_TARGET_PATH'" Du kan Ă€ndra filkontexten genom att köra chcon -R -t swapfile_t '$TARGET_PATH' Du mĂ„ste ocksĂ„ Ă€ndra standardfilkontextfilerna pĂ„ systemet för att bevara dem Ă€ven efter en fullstĂ€ndig ometikettering. "semanage fcontext -a -t swapfile_t '$FIX_TARGET_PATH'" Du kan Ă€ndra filkontexten genom att köra chcon -t virt_image_t '$TARGET_PATH' Du mĂ„ste ocksĂ„ Ă€ndra standardfilkontextfilerna pĂ„ systemet för att bevara dem Ă€ven efter en fullstĂ€ndig ometikettering. "semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'" Du kan Ă€ndra filkontexten genom att köra chcon -R -t xen_image_t '$TARGET_PATH' Du mĂ„ste ocksĂ„ Ă€ndra standardfilkontextfilerna pĂ„ systemet för att bevara dem Ă€ven efter en fullstĂ€ndig ometikettering. "semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH'" Du kan exekvera följande kommando som root för Ă„termĂ€rka ditt datorsystem: "touch /.autorelabel; reboot" Du kan generera en lokal policy för att tillĂ„ta denna Ă„tkomst - se FAQ Skicka gĂ€rna en felrapport. Du kan generera en lokal policy för att tillĂ„ta denna Ă„tkomst - se FAQ Du kan Ă„terstĂ€lla systemets standardkontext för denna fil genom att köra kommandot restorecon. # restorecon -R /root/.ssh. Du kan Ă„terstĂ€lla systemets standardkontext för denna fil genom att köra kommandot restorecon. # restorecon -R /root/.ssh. Du kan Ă„terstĂ€lla standardsystemkontexten till denna fil genom att köra kommandor restorecon. restorecon '$SOURCE_PATH'. Du kan Ă„terstĂ€lla denna fils standardsystemkontext genom att köra kommandot restorecon. restorecon '$TARGET_PATH', om denna fil Ă€r en katalog kan du rekursivt Ă„terstĂ€lla med restorecon -R '$TARGET_PATH'. Ditt system kan vara allvarligt komprometterat! Ditt system kan vara allvarligt komprometterat! $SOURCE_PATH försökte att mmap:a lĂ„gt kĂ€rnminne. Ditt system kan vara allvarligt komprometterat! $SOURCE_PATH försökte lĂ€sa in en kĂ€rnmodul. Ditt system kan vara allvarligt komprometterat! $SOURCE_PATH försökte Ă€ndra framtvingandet av SELinux. Ditt system kan vara allvarligt komprometterat! $SOURCE_PATH försökte Ă€ndra kĂ€rnkonfigurationen. Avaktivera IPV6 ordentligt. Ta antingen bort paketet mozplugger genom att köra ”yum remove mozplugger” Eller stĂ€ng av framtvingandet av SELinux över insticksmoduler till Firefox. setsebool -P unconfined_mozilla_plugin_transition 0 Ta antingen bort paketet mozplugger eller spice-xpi genom att köra ”yum remove mozplugger spice-xpi” eller slĂ„ av SELinux verkan över insticksmoduler till Firefox. setsebool -P unconfined_mozilla_sandbox_transition 0 Ta antingen bort paketet mozplugger eller spice-xpi genom att köra ”yum remove mozplugger spice-xpi”, eller slĂ„ av SELinux verkan över insticksmoduler till Chrome. setsebool -P unconfined_chrome_sandbox_transition 0 Om du bestĂ€mmer dig för att fortsĂ€tta köra programmet i frĂ„ga kommer du behöva tillĂ„ta denna Ă„tgĂ€rd. Detta kan göras pĂ„ kommandoraden genom att köra: # setsebool -P mmap_low_allowed 1 SELinux nekade en Ă„tgĂ€rd begĂ€rd av $SOURCE, ett program anvĂ€nt för att Ă€ndra videohĂ„rdvarans tillstĂ„nd. Detta program Ă€r kĂ€nt för att anvĂ€nda en osĂ€ker operation pĂ„ systemminnet men det Ă€r ocksĂ„ ett antal skade-/intrĂ„ngsprogram som lĂ„tsas vara vbetool. Detta verktyg anvĂ€nds för att Ă„terstĂ€lla videotillstĂ„ndet nĂ€r en maskin Ă„tergĂ„r frĂ„n vilolĂ€ge. Om din maskin inte Ă„tergĂ„r som den skall har du inget annat val Ă€n att tillĂ„ta denna operation och reducera ditt systems skydd mot sĂ„dana skadeprogram. SELinux nekade en Ă„tgĂ€rd begĂ€rd av wine-preloader, ett program som anvĂ€nds för att köra Windowsprogram under Linux. Detta program Ă€r kĂ€nt för att anvĂ€nda en osĂ€ker operation pĂ„ systemminnet men det Ă€r ocksĂ„ ett antal skade-/intrĂ„ngsprogram som lĂ„tsas vara wine. Om du försökte köra ett Windowsprogram har du inget annat val Ă€n att tillĂ„ta denna operation och minska ditt systems skydd mot sĂ„dana skadeprogram, eller att avstĂ„ frĂ„n att köra Windowsprogram under Linux. Om du inte försökte köra ett Windowsprogram indikerar detta att du förmodligen Ă€r under attack av nĂ„got slags skadeprogram eller program som försöker utnyttja ditt system för otrevliga syften. Se http://wiki.winehq.org/PreloaderPageZeroProblem som skisserar de andra problemen wine stöter pĂ„ pĂ„ grund av dess osĂ€kra anvĂ€ndning av minne och lösningar pĂ„ dessa problem. SlĂ„ pĂ„ fullstĂ€ndig granskning # auditctl -w /etc/shadow -p w Försök att Ă„terskapa AVC:n. Kör sedan # ausearch -m avc -ts recent Om du ser en PATH-post kontrollera Ă€garen/rĂ€ttigheterna pĂ„ filen, och rĂ€tta dem, annars rapportera som en bugzilla. Du försökte placera en typ pĂ„ en %s som inte Ă€r av filtyp. Detta Ă€r inte tillĂ„tet, du mĂ„ste tilldela en filtyp. Du kan lista alla filtyper med kommandot seinfo. seinfo -afile_type -x Ändra "$BOOLEAN" och "$WRITE_BOOLEAN" flaggorn till sant tillĂ„ter denna Ă„tkomst : "setsebool -P $BOOLEAN=1 $WRITE_BOOLEAN=1". varning: sĂ€tta "$WRITE_BOOLEAN" flaggan till sant kommer tillĂ„ta ftp-demonen att skriva till allt publikt material (filer och kataloger med typ public_content_t) förutom skriva till filer och kataloger pĂ„ CIFS-filsystem. Att Ă€ndra flaggorna ”allow_ftpd_use_nfs” och "ftpd_anon_write" till sant kommer tillĂ„ta denna Ă„tkomst: "setsebool -P allow_ftpd_use_nfs=1 ftpd_anon_write=1". varning: att sĂ€tta flaggan "ftpd_anon_write" till sant kommer att tillĂ„ta ftp-demonen att skriva till allt publikt innehĂ„ll (filer och kataloger med typ public_content_t) förutom att skriva till filer och kataloger pĂ„ NFS-filsystem. # ausearch -x $SOURCE_PATH -raw | audit2allow -D -M min-$SOURCE # semodule -X 300 -i min-$SOURCE.pp# semanage fcontext -a -t FILTYP '$FIX_TARGET_PATH' dĂ€r FILTYP Ă€r en av följande: %s. Kör sedan: restorecon -v '$FIX_TARGET_PATH' # semanage fcontext -a -t LIKNANDE_TYP '$FIX_TARGET_PATH' # restorecon -v '$FIX_TARGET_PATH'# semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH%s' # restorecon %s -v '$FIX_TARGET_PATH'# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' # restorecon -v '$FIX_TARGET_PATH'# semanage port -a -t %s -p %s $PORT_NUMBER# semanage port -a -t PORTTYP -p %s $PORT_NUMBER dĂ€r PORTTYP Ă€r en av följande: %s.En process kan försöka hacka sig in i ditt system.LĂ€gg till net.ipv6.conf.all.disable_ipv6 = 1 till /etc/sysctl.conf TillĂ„t denna Ă„tkomst för tillfĂ€llet genom att köra: # ausearch -c '$SOURCE' --raw | audit2allow -M min-$MODULE_NAME # semodule -x 300 -i min-$MODULE_NAME.ppÄndra filkontext.Ändra etikettÄndra etikett pĂ„ biblioteket.Ändra filetiketten till xen_image_t.Kontakta din sĂ€kerhetsadministratör och rapportera detta tillbud.SlĂ„ av SELinux-styrningen av insticksmodulerna till ChromeAktivera booleanerAktivera booleaner.Om $TARGET_BASE_PATH Ă€r ett virtualiseringsmĂ„lOm $TARGET_BASE_PATH skall delas via RSYNC-demonenOm $TARGET_BASE_PATH borde delas via cvs-demonenOm du tror att $SOURCE_BASE_PATH borde tillĂ„tas skapa $TARGET_BASE_PATH-filerOm du tror att $SOURCE_PATH försökte avaktivera SELinux.Om du tror att %s inte borde behöva execstackOm du tror att $SOURCE_BASE_PATH borde tillĂ„tas Ă„tkomsten $ACCESS till $TARGET_CLASS med etiketten $TARGET_TYPE som standard.Om du tror att $SOURCE_BASE_PATH borde tillĂ„tas Ă„tkomsten $ACCESS till processer med etiketten $TARGET_CLASS som standard.Om du tror att $SOURCE_BASE_PATH borde tillĂ„tas Ă„tkomsten $ACCESS till $TARGET_BASE_PATH $TARGET_CLASS som standard.Om du tror att $SOURCE_BASE_PATH borde ha förmĂ„gan $ACCESS som standard.Om du inte direkt orsakade denna AVC genom testning.Om du inte tror att $SOURCE_PATH borde försöka Ă€ndra kĂ€rnan genom att ladda en kĂ€rnmodul.Om du inte tror att $SOURCE_PATH skall modifiera kĂ€rnan genom att ladda kĂ€rnmodulerOm du tror inte att $SOURCE_PATH skall försöka Ă„tkomsten ”$ACCESS“ till $TARGET_BASE_PATH.Om du inte tror att $SOURCE_PATH borde behöva ladda in minne pĂ„ heap:en som Ă€r bĂ„de skrivbart och exekverbart.Om du inte tror att $SOURCE_PATH borde behöva ladda in minne pĂ„ stacken som Ă€r bĂ„de skrivbart och exekverbart.Om du inte tror att $SOURCE_PATH bör behöva mmap:a lĂ„gt minne i kĂ€rnan.Om du inte vill att processer skall begĂ€ra förmĂ„gan att anvĂ€nda alla systemresurser i ditt system;Om du tror att detta orsakades av en allvarligt feletiketterad maskin.Om du vill %sOm du vill tillĂ„ta $SOURCE_BASE_PATH att montera pĂ„ $TARGET_BASE_PATH.Om du vill tillĂ„ta $SOURCE_PATH att kunna skriva till delat publikt innehĂ„llOm du vill tillĂ„ta $SOURCE_PATH att binda till nĂ€tverksport $PORT_NUMBEROm du vill tillĂ„ta $SOURCE_PATH att ansluta till nĂ€tverksport $PORT_NUMBEROm du vill tillĂ„ta ftpd att skriva till cifs-filsystemOm du vill tillĂ„ta ftpd att skriva till nfs-filsystemOm du vill tillĂ„ta httpd att köra cgi-skript och göra HTTPD:s hantering av alla innehĂ„llsfiler enhetlig.Om du vill tillĂ„ta httpd att skicka postOm du vill Ă€ndra etiketten pĂ„ $TARGET_PATH till %s, du fĂ„r inte det eftersom det inte Ă€r en giltig filtyp.Om du vill avaktivera IPV6 pĂ„ den hĂ€r maskinenOm du vill rĂ€tta etiketten. $SOURCE_PATH standardetikett skall vara %s.Om du vill rĂ€tta etiketten. Standardetiketten för $TARGET_PATH skall vara %s.Om du vill hjĂ€lpa till att identifiera om domĂ€nen behöver denna Ă„tkomst eller om du har en fil med fel rĂ€ttigheter pĂ„ ditt systemOm du vill strunta i om $SOURCE_BASE_PATH försöker Ă„tkomsten $ACCESS pĂ„ $TARGET_BASE_PATH $TARGET_CLASS, eftersom du tror att den inte bör behöva denna Ă„tkomst.Om du vill ignorera denna AVC för att den Ă€r farlig och din maskin verkar fungera normalt.Om du vill ignorera denna AVC för att den Ă€r farlig och dina wine-program fungerar normalt.Om du vill Ă€ndra etiketten pĂ„ $TARGET_BASE_PATH sĂ„ att $SOURCE_BASE_PATH kan ha Ă„tkomsten $ACCESS till denOm du vill flytta $TARGET_BASE_PATH till en standardplats sĂ„ att $SOURCE_BASE_PATH kan anvĂ€nda Ă„tkomsten $ACCESSOm du vill fortsĂ€tta anvĂ€nda SELinux begrĂ€nsning av insticksmoduler till Firefox istĂ€llet för att anvĂ€nda paketet mozpluggerOm du vill hantera $TARGET_BASE_PATH som publikt innehĂ„llOm du vill anvĂ€nda paketet %sEtikettera om hela filsystemet. Inkluderar en omstart!ÅterstĂ€ll kontextÅterstĂ€ll kontextSELinux nekar $SOURCE_PATH "$ACCESS"-Ă„tkomst.SĂ€tt avbildsetiketten till virt_image_t.Detta orsakas av ett nyskapat filsystem.Försök rĂ€tta etiketten.SlĂ„ av minnesskyddDu kan lĂ€sa manualsidan för ”%s” för fler detaljer.Du kan ha blivit hackad.Du mĂ„ste sĂ€ga till SELinux detta genom att aktivera booleanen ”%s”. Du behöver Ă€ndra etiketten pĂ„ $FIX_TARGET_PATHDu behöver Ă€ndra etiketten pĂ„ $TARGET_BASE_PATHDu behöver Ă€ndra etiketten pĂ„ $TARGET_BASE_PATH till public_content_t eller public_content_rw_t.Du behöver Ă€ndra etiketten pĂ„ $TARGET_BASE_PATHDu behöver Ă€ndra etiketten pĂ„ $TARGET_PATH till en typ pĂ„ en liknande enhet.Du behöver Ă€ndra etiketten pĂ„ ”$FIX_TARGET_PATH”Du bör rapportera detta som ett fel. Du kan generera en lokal policymodul för att tillĂ„ta denna Ă„tkomst.Du bör rapportera detta som ett fel. Du kan generera en lokal policymodul att göra ”dontaudit” pĂ„ denna Ă„tkomst.execstack -c %som du tror att du kan ha blivit hackadsetsebool -P %s %sslĂ„ pĂ„ fullstĂ€ndig granskning för att fĂ„ sökvĂ€gsinformation om den problematiska filen och generera felet igen.anvĂ€nd ett kommando som ”cp -p” för att bevara alla rĂ€ttigheter utom SELinux-kontext.du kan köra restorecon.kan du köra restorecon. Åtkomstförsöket kan ha stoppats pĂ„ grund av otillrĂ€ckliga rĂ€ttigheter för att komma Ă„t en förĂ€ldrakatalog. Försök i sĂ„ fall Ă€ndra följande kommando i enlighet med det.du kan vara under attack av en hackare, eftersom begrĂ€nsade program aldrig skall behöva denna Ă„tkomst.du kan vara under attack frĂ„n en hackare, eftersom begrĂ€nsade program inte skall behöva denna Ă„tkomst.du kan vara under attack frĂ„n en hackare, detta Ă€r en vĂ€ldigt farlig Ă„tkomst.du mĂ„ste Ă€ndra etiketten pĂ„ $TARGET_PATH.du mĂ„ste rĂ€tta etiketter.du mĂ„ste flytta certifikatfilen till katalogen ~/.certdu mĂ„ste vĂ€lja en giltig filetikett.du mĂ„ste ta bort paketet mozplugger.du mĂ„ste sĂ€tta upp SELinux för att tillĂ„ta dettadu mĂ„ste berĂ€tta detta för SELinuxdu mĂ„ste tala om för SELinux om detta genom att aktivera booleanerna ”httpd_unified” och ”http_enable_cgi”du mĂ„ste berĂ€tta för SELinux om detta genom att aktivera booleanen vbetool_mmap_zero_ignore.du mĂ„ste berĂ€tta för SELinux om detta genom att aktivera booleanen wine_mmap_zero_ignore.du mĂ„ste slĂ„ av SELinux-styrningen av insticksmodulerna till Chrome.du mĂ„ste stĂ€nga av SELinux styrning av insticksmoduler till Firefox.du behöver lĂ€gga till etiketter till den.du behöver Ă€ndra etiketten pĂ„ $TARGET_PATH till public_content_rw_t, och eventuellt slĂ„ pĂ„ booleanen allow_httpd_sys_script_anon_write.du behöver diagnostisera varför ditt system fĂ„r slut pĂ„ systemresurser och rĂ€tta problemet. Enligt /usr/include/linux/capability.h behövs sys_resource för att: /* ÅsidosĂ€tta resursbegrĂ€nsningar. SĂ€tta resursbegrĂ€nsningar. */ /* ÅsidosĂ€tta kvotgrĂ€nser. */ /* ÅsidosĂ€tta reserverat utrymme pĂ„ ext2-filsystem */ /* Ändra datajournallĂ€ge pĂ„ ext3-filsystem (anvĂ€nder journalresurser) */ /* OBS: ext2 tar hĂ€nsyn till fsuid nĂ€r den kontrollerar Ă„sidosĂ€ttandet av resurser, sĂ„ man kan Ă„sidosĂ€tta fsuid ocksĂ„ */ /* ÅsidosĂ€tta storleksbegrĂ€nsningar pĂ„ IPC-meddelandeköer */ /* TillĂ„ta mer Ă€n 64 Hz avbrott frĂ„n realtidsklockan */ /* ÅsidosĂ€tta maxantalet konsoler vid konsolallokering */ /* ÅsidosĂ€tta maxantalet tangenbordsbindningar */ du behöver en fullstĂ€ndig ometikettering.du behöver Ă€ndra sandlĂ„detypen. sandbox_web_t eller sandbox_net_t. Till exempel: sandbox -X -t sandbox_net_t $SOURCE_PATH LĂ€s manualsidan ”sandbox” för fler detaljer. du behöver rapportera ett fel. Detta Ă€r potentiellt en farlig Ă„tkomst.du behöver rapportera ett fel. Detta Ă€r en potentiellt farlig Ă„tkomst.du behöver sĂ€tta /proc/sys/net/ipv6/conf/all/disable_ipv6 till 1 och inte svartlista modulendu behöver anvĂ€nda ett annat kommando. Du har inte tillĂ„telse att bevara SELinux-kontexten pĂ„ mĂ„lfilsystemet.du bör nollstĂ€lla execstack-flaggan och se om $SOURCE_PATH fungerar korrekt. Rapportera detta som ett fel i %s. Du kan nollstĂ€lla execstack-flaggan genom att köra: