Created
December 4, 2014 20:31
-
-
Save ndrut/813f90e636e9ec1ebdc6 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/bin/my_print_defaults from read access on the file .my.cnf. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that my_print_defaults should be allowed read access on the .my.cnf file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep my_print_defaul /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/bin/my_print_defaults from getattr access on the file /root/.my.cnf. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that my_print_defaults should be allowed getattr access on the .my.cnf file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep my_print_defaul /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/mysqld from getattr access on the file /root/.my.cnf. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that mysqld should be allowed getattr access on the .my.cnf file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep mysqld /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/mysqld from read access on the file .my.cnf. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that mysqld should be allowed read access on the .my.cnf file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep mysqld /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /bin/bash from using the signull access on a process. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that bash should be allowed signull access on processes labeled mysqld_t by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep mysqld_safe /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/exim from write access on the file /var/run/restartsrv/startup/exim. | |
| ***** Plugin leaks (86.2 confidence) suggests ****************************** | |
| If you want to ignore exim trying to write access the exim file, because you believe it should not need this access. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to dontaudit this access. | |
| Do | |
| # grep /usr/sbin/exim /var/log/audit/audit.log | audit2allow -D -M mypol | |
| # semodule -i mypol.pp | |
| ***** Plugin catchall (14.7 confidence) suggests *************************** | |
| If you believe that exim should be allowed write access on the exim file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep exim /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/exim from getattr access on the file /var/run/restartsrv/startup/exim. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that exim should be allowed getattr access on the exim file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep exim /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/exim from ioctl access on the file /var/run/restartsrv/startup/exim. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that exim should be allowed ioctl access on the exim file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep exim /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /sbin/setfiles from write access on the file /var/run/restartsrv/startup/named. | |
| ***** Plugin leaks (86.2 confidence) suggests ****************************** | |
| If you want to ignore setfiles trying to write access the named file, because you believe it should not need this access. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to dontaudit this access. | |
| Do | |
| # grep /sbin/setfiles /var/log/audit/audit.log | audit2allow -D -M mypol | |
| # semodule -i mypol.pp | |
| ***** Plugin catchall (14.7 confidence) suggests *************************** | |
| If you believe that setfiles should be allowed write access on the named file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep restorecon /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/named from write access on the file /var/run/restartsrv/startup/named. | |
| ***** Plugin leaks (86.2 confidence) suggests ****************************** | |
| If you want to ignore named trying to write access the named file, because you believe it should not need this access. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to dontaudit this access. | |
| Do | |
| # grep /usr/sbin/named /var/log/audit/audit.log | audit2allow -D -M mypol | |
| # semodule -i mypol.pp | |
| ***** Plugin catchall (14.7 confidence) suggests *************************** | |
| If you believe that named should be allowed write access on the named file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep named /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/named from write access on the directory named. | |
| ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* | |
| If you want to allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers. | |
| Then you must tell SELinux about this by enabling the 'named_write_master_zones' boolean. You can read 'named_selinux' man page for more details. | |
| Do | |
| setsebool -P named_write_master_zones 1 | |
| ***** Plugin catchall (11.6 confidence) suggests *************************** | |
| If you believe that named should be allowed write access on the named directory by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep named /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/named from add_name access on the directory tmp-UsD68Z9IgS. | |
| ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* | |
| If you want to allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers. | |
| Then you must tell SELinux about this by enabling the 'named_write_master_zones' boolean. You can read 'named_selinux' man page for more details. | |
| Do | |
| setsebool -P named_write_master_zones 1 | |
| ***** Plugin catchall (11.6 confidence) suggests *************************** | |
| If you believe that named should be allowed add_name access on the tmp-UsD68Z9IgS directory by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep named /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/named from remove_name access on the directory tmp-LH32hv44iY. | |
| ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* | |
| If you want to allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers. | |
| Then you must tell SELinux about this by enabling the 'named_write_master_zones' boolean. You can read 'named_selinux' man page for more details. | |
| Do | |
| setsebool -P named_write_master_zones 1 | |
| ***** Plugin catchall (11.6 confidence) suggests *************************** | |
| If you believe that named should be allowed remove_name access on the tmp-LH32hv44iY directory by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep named /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/dovecot from write access on the file /var/run/restartsrv/startup/imap. | |
| ***** Plugin leaks (86.2 confidence) suggests ****************************** | |
| If you want to ignore dovecot trying to write access the imap file, because you believe it should not need this access. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to dontaudit this access. | |
| Do | |
| # grep /usr/sbin/dovecot /var/log/audit/audit.log | audit2allow -D -M mypol | |
| # semodule -i mypol.pp | |
| ***** Plugin catchall (14.7 confidence) suggests *************************** | |
| If you believe that dovecot should be allowed write access on the imap file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep dovecot /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/bin/doveconf from read access on the file dovecot.crt. | |
| ***** Plugin catchall_labels (83.8 confidence) suggests ******************** | |
| If you want to allow doveconf to have read access on the dovecot.crt file | |
| Then you need to change the label on dovecot.crt | |
| Do | |
| # semanage fcontext -a -t FILE_TYPE 'dovecot.crt' | |
| where FILE_TYPE is one of the following: mail_spool_t, locale_t, bin_t, etc_t, proc_t, sysfs_t, krb5_keytab_t, dovecot_keytab_t, sssd_public_t, user_cron_spool_t, abrt_t, lib_t, etc_t, dovecot_etc_t, ld_so_t, dovecot_tmp_t, udev_tbl_t, sysfs_t, usr_t, shell_exec_t, afs_cache_t, abrt_helper_exec_t, krb5_conf_t, tmpfile, user_home_t, dovecot_exec_t, dovecot_cert_t, dovecot_t, textrel_shlib_t, rpm_script_tmp_t, mta_exec_type, cert_type, etc_runtime_t, configfile, samba_var_t, ld_so_cache_t, sssd_var_lib_t, dovecot_spool_t, net_conf_t, mail_home_rw_t, anon_inodefs_t, sysctl_kernel_t, configfile, dovecot_auth_exec_t, puppet_tmp_t, abrt_var_run_t, fail2ban_var_lib_t, dovecot_var_log_t, dovecot_var_lib_t, dovecot_var_run_t, sysctl_crypto_t, prelink_exec_t, nfs_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t, cluster_tmp_t, sysctl_kernel_t. | |
| Then execute: | |
| restorecon -v 'dovecot.crt' | |
| ***** Plugin catchall (17.1 confidence) suggests *************************** | |
| If you believe that doveconf should be allowed read access on the dovecot.crt file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep doveconf /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/libexec/dovecot/auth from create access on the file auth-token-secret.dat.tmp. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that auth should be allowed create access on the auth-token-secret.dat.tmp file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep auth /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/libexec/dovecot/auth from rename access on the file auth-token-secret.dat.tmp. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that auth should be allowed rename access on the auth-token-secret.dat.tmp file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep auth /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/exim from open access on the file 1XwcSG-0003cc-07-D. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that exim should be allowed open access on the 1XwcSG-0003cc-07-D file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep exim /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/exim from write access on the file retry.lockfile. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that exim should be allowed write access on the retry.lockfile file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep exim /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/exim from setattr access on the file 1XwcSG-0003cc-07. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that exim should be allowed setattr access on the 1XwcSG-0003cc-07 file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep exim /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/rndc from read access on the directory inotify. | |
| ***** Plugin leaks (86.2 confidence) suggests ****************************** | |
| If you want to ignore rndc trying to read access the inotify directory, because you believe it should not need this access. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to dontaudit this access. | |
| Do | |
| # grep /usr/sbin/rndc /var/log/audit/audit.log | audit2allow -D -M mypol | |
| # semodule -i mypol.pp | |
| ***** Plugin catchall (14.7 confidence) suggests *************************** | |
| If you believe that rndc should be allowed read access on the inotify directory by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep rndc /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/local/cpanel/bin/dovecot-wrap from execute access on the file dovecot-wrap. | |
| ***** Plugin leaks (86.2 confidence) suggests ****************************** | |
| If you want to ignore dovecot-wrap trying to execute access the dovecot-wrap file, because you believe it should not need this access. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to dontaudit this access. | |
| Do | |
| # grep /usr/local/cpanel/bin/dovecot-wrap /var/log/audit/audit.log | audit2allow -D -M mypol | |
| # semodule -i mypol.pp | |
| ***** Plugin catchall (14.7 confidence) suggests *************************** | |
| If you believe that dovecot-wrap should be allowed execute access on the dovecot-wrap file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep dovecot-wrap /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/local/cpanel/bin/dovecot-wrap from using the sys_ptrace capability. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that dovecot-wrap should have the sys_ptrace capability by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep dovecot-wrap /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/local/cpanel/bin/dovecot-auth from read access on the file recv. | |
| ***** Plugin catchall_labels (83.8 confidence) suggests ******************** | |
| If you want to allow dovecot-auth to have read access on the recv file | |
| Then you need to change the label on recv | |
| Do | |
| # semanage fcontext -a -t FILE_TYPE 'recv' | |
| where FILE_TYPE is one of the following: usr_t, krb5_keytab_t, dovecot_passwd_t, sssd_public_t, user_tmp_t, dovecot_etc_t, mysqld_etc_t, krb5_conf_t, abrt_t, lib_t, etc_t, dovecot_auth_tmp_t, ld_so_t, oddjob_mkhomedir_exec_t, sysfs_t, usr_t, dbusd_etc_t, dovecot_auth_t, afs_cache_t, abrt_helper_exec_t, faillog_t, tmpfile, var_lib_t, updpwd_exec_t, chkpwd_exec_t, cert_type, etc_runtime_t, configfile, openct_var_run_t, samba_var_t, textrel_shlib_t, initrc_var_run_t, pcscd_var_run_t, sssd_var_lib_t, net_conf_t, rpm_script_tmp_t, ld_so_cache_t, dovecot_auth_exec_t, system_dbusd_var_lib_t, configfile, abrt_var_run_t, sysctl_type, locale_t, bin_t, etc_t, sysctl_crypto_t, proc_t, prelink_exec_t, sysctl_kernel_t. | |
| Then execute: | |
| restorecon -v 'recv' | |
| ***** Plugin catchall (17.1 confidence) suggests *************************** | |
| If you believe that dovecot-auth should be allowed read access on the recv file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep /usr/local/cpan /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/local/cpanel/bin/dovecot-auth from getattr access on the file /var/cpanel/hulkd/enabled. | |
| ***** Plugin catchall_labels (83.8 confidence) suggests ******************** | |
| If you want to allow dovecot-auth to have getattr access on the enabled file | |
| Then you need to change the label on /var/cpanel/hulkd/enabled | |
| Do | |
| # semanage fcontext -a -t FILE_TYPE '/var/cpanel/hulkd/enabled' | |
| where FILE_TYPE is one of the following: usr_t, krb5_keytab_t, dovecot_passwd_t, sssd_public_t, user_tmp_t, dovecot_etc_t, prelink_exec_t, mysqld_etc_t, krb5_conf_t, abrt_t, lib_t, etc_t, dovecot_auth_tmp_t, ld_so_t, oddjob_mkhomedir_exec_t, sysfs_t, usr_t, dbusd_etc_t, dovecot_auth_t, abrt_helper_exec_t, faillog_t, tmpfile, var_lib_t, updpwd_exec_t, chkpwd_exec_t, cert_type, etc_runtime_t, configfile, openct_var_run_t, samba_var_t, textrel_shlib_t, initrc_var_run_t, pcscd_var_run_t, sssd_var_lib_t, net_conf_t, rpm_script_tmp_t, ld_so_cache_t, dovecot_auth_exec_t, abrt_var_cache_t, system_dbusd_var_lib_t, rpm_tmp_t, configfile, abrt_var_run_t, sysctl_type, locale_t, bin_t, etc_t, sysctl_crypto_t, proc_t, krb5_host_rcache_t, prelink_exec_t, sysctl_kernel_t. | |
| Then execute: | |
| restorecon -v '/var/cpanel/hulkd/enabled' | |
| ***** Plugin catchall (17.1 confidence) suggests *************************** | |
| If you believe that dovecot-auth should be allowed getattr access on the enabled file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep /usr/local/cpan /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/local/cpanel/bin/dovecot-auth from ioctl access on the file /var/cpanel/serviceauth/imap/recv. | |
| ***** Plugin catchall_labels (83.8 confidence) suggests ******************** | |
| If you want to allow dovecot-auth to have ioctl access on the recv file | |
| Then you need to change the label on /var/cpanel/serviceauth/imap/recv | |
| Do | |
| # semanage fcontext -a -t FILE_TYPE '/var/cpanel/serviceauth/imap/recv' | |
| where FILE_TYPE is one of the following: usr_t, krb5_keytab_t, dovecot_passwd_t, sssd_public_t, user_tmp_t, dovecot_etc_t, mysqld_etc_t, krb5_conf_t, abrt_t, lib_t, etc_t, dovecot_auth_tmp_t, ld_so_t, sysfs_t, usr_t, dbusd_etc_t, dovecot_auth_t, faillog_t, tmpfile, var_lib_t, cert_type, etc_runtime_t, configfile, openct_var_run_t, samba_var_t, textrel_shlib_t, initrc_var_run_t, pcscd_var_run_t, sssd_var_lib_t, net_conf_t, rpm_script_tmp_t, ld_so_cache_t, dovecot_auth_exec_t, abrt_var_cache_t, system_dbusd_var_lib_t, rpm_tmp_t, configfile, abrt_var_run_t, sysctl_type, locale_t, bin_t, etc_t, sysctl_crypto_t, proc_t, sysctl_kernel_t. | |
| Then execute: | |
| restorecon -v '/var/cpanel/serviceauth/imap/recv' | |
| ***** Plugin catchall (17.1 confidence) suggests *************************** | |
| If you believe that dovecot-auth should be allowed ioctl access on the recv file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep /usr/local/cpan /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/libexec/dovecot/auth from getattr access on the file /var/run/dovecot/auth-token-secret.dat. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that auth should be allowed getattr access on the auth-token-secret.dat file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep auth /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/libexec/dovecot/auth from read access on the file auth-token-secret.dat. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that auth should be allowed read access on the auth-token-secret.dat file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep auth /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/named from write access on the directory named. | |
| ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* | |
| If you want to allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers. | |
| Then you must tell SELinux about this by enabling the 'named_write_master_zones' boolean. You can read 'named_selinux' man page for more details. | |
| Do | |
| setsebool -P named_write_master_zones 1 | |
| ***** Plugin catchall (11.6 confidence) suggests *************************** | |
| If you believe that named should be allowed write access on the named directory by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep named /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/bin/doveconf from read access on the file dovecot.crt. | |
| ***** Plugin catchall_labels (83.8 confidence) suggests ******************** | |
| If you want to allow doveconf to have read access on the dovecot.crt file | |
| Then you need to change the label on dovecot.crt | |
| Do | |
| # semanage fcontext -a -t FILE_TYPE 'dovecot.crt' | |
| where FILE_TYPE is one of the following: mail_spool_t, locale_t, bin_t, etc_t, proc_t, sysfs_t, krb5_keytab_t, dovecot_keytab_t, sssd_public_t, user_cron_spool_t, abrt_t, lib_t, etc_t, dovecot_etc_t, ld_so_t, dovecot_tmp_t, udev_tbl_t, sysfs_t, usr_t, shell_exec_t, afs_cache_t, abrt_helper_exec_t, krb5_conf_t, tmpfile, user_home_t, dovecot_exec_t, dovecot_cert_t, dovecot_t, textrel_shlib_t, rpm_script_tmp_t, mta_exec_type, cert_type, etc_runtime_t, configfile, samba_var_t, ld_so_cache_t, sssd_var_lib_t, dovecot_spool_t, net_conf_t, mail_home_rw_t, anon_inodefs_t, sysctl_kernel_t, configfile, dovecot_auth_exec_t, puppet_tmp_t, abrt_var_run_t, fail2ban_var_lib_t, dovecot_var_log_t, dovecot_var_lib_t, dovecot_var_run_t, sysctl_crypto_t, prelink_exec_t, nfs_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t, cluster_tmp_t, sysctl_kernel_t. | |
| Then execute: | |
| restorecon -v 'dovecot.crt' | |
| ***** Plugin catchall (17.1 confidence) suggests *************************** | |
| If you believe that doveconf should be allowed read access on the dovecot.crt file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep doveconf /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/libexec/dovecot/auth from create access on the file auth-token-secret.dat.tmp. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that auth should be allowed create access on the auth-token-secret.dat.tmp file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep auth /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/libexec/dovecot/auth from rename access on the file auth-token-secret.dat.tmp. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that auth should be allowed rename access on the auth-token-secret.dat.tmp file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep auth /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/exim from getattr access on the file /usr/local/cpanel/bin/boxtrapper. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that exim should be allowed getattr access on the boxtrapper file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep exim /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/local/cpanel/bin/dovecot-wrap from using the sys_ptrace capability. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that dovecot-wrap should have the sys_ptrace capability by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep dovecot-wrap /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/local/cpanel/bin/dovecot-auth from ioctl access on the file /var/cpanel/serviceauth/imap/recv. | |
| ***** Plugin catchall_labels (83.8 confidence) suggests ******************** | |
| If you want to allow dovecot-auth to have ioctl access on the recv file | |
| Then you need to change the label on /var/cpanel/serviceauth/imap/recv | |
| Do | |
| # semanage fcontext -a -t FILE_TYPE '/var/cpanel/serviceauth/imap/recv' | |
| where FILE_TYPE is one of the following: usr_t, krb5_keytab_t, dovecot_passwd_t, sssd_public_t, user_tmp_t, dovecot_etc_t, mysqld_etc_t, krb5_conf_t, abrt_t, lib_t, etc_t, dovecot_auth_tmp_t, ld_so_t, sysfs_t, usr_t, dbusd_etc_t, dovecot_auth_t, faillog_t, tmpfile, var_lib_t, cert_type, etc_runtime_t, configfile, openct_var_run_t, samba_var_t, textrel_shlib_t, initrc_var_run_t, pcscd_var_run_t, sssd_var_lib_t, net_conf_t, rpm_script_tmp_t, ld_so_cache_t, dovecot_auth_exec_t, abrt_var_cache_t, system_dbusd_var_lib_t, rpm_tmp_t, configfile, abrt_var_run_t, sysctl_type, locale_t, bin_t, etc_t, sysctl_crypto_t, proc_t, sysctl_kernel_t. | |
| Then execute: | |
| restorecon -v '/var/cpanel/serviceauth/imap/recv' | |
| ***** Plugin catchall (17.1 confidence) suggests *************************** | |
| If you believe that dovecot-auth should be allowed ioctl access on the recv file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep /usr/local/cpan /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/local/cpanel/bin/dovecot-auth from read access on the file recv. | |
| ***** Plugin catchall_labels (83.8 confidence) suggests ******************** | |
| If you want to allow dovecot-auth to have read access on the recv file | |
| Then you need to change the label on recv | |
| Do | |
| # semanage fcontext -a -t FILE_TYPE 'recv' | |
| where FILE_TYPE is one of the following: usr_t, krb5_keytab_t, dovecot_passwd_t, sssd_public_t, user_tmp_t, dovecot_etc_t, mysqld_etc_t, krb5_conf_t, abrt_t, lib_t, etc_t, dovecot_auth_tmp_t, ld_so_t, oddjob_mkhomedir_exec_t, sysfs_t, usr_t, dbusd_etc_t, dovecot_auth_t, afs_cache_t, abrt_helper_exec_t, faillog_t, tmpfile, var_lib_t, updpwd_exec_t, chkpwd_exec_t, cert_type, etc_runtime_t, configfile, openct_var_run_t, samba_var_t, textrel_shlib_t, initrc_var_run_t, pcscd_var_run_t, sssd_var_lib_t, net_conf_t, rpm_script_tmp_t, ld_so_cache_t, dovecot_auth_exec_t, system_dbusd_var_lib_t, configfile, abrt_var_run_t, sysctl_type, locale_t, bin_t, etc_t, sysctl_crypto_t, proc_t, prelink_exec_t, sysctl_kernel_t. | |
| Then execute: | |
| restorecon -v 'recv' | |
| ***** Plugin catchall (17.1 confidence) suggests *************************** | |
| If you believe that dovecot-auth should be allowed read access on the recv file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep /usr/local/cpan /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/local/cpanel/bin/dovecot-auth from getattr access on the file /var/cpanel/hulkd/enabled. | |
| ***** Plugin catchall_labels (83.8 confidence) suggests ******************** | |
| If you want to allow dovecot-auth to have getattr access on the enabled file | |
| Then you need to change the label on /var/cpanel/hulkd/enabled | |
| Do | |
| # semanage fcontext -a -t FILE_TYPE '/var/cpanel/hulkd/enabled' | |
| where FILE_TYPE is one of the following: usr_t, krb5_keytab_t, dovecot_passwd_t, sssd_public_t, user_tmp_t, dovecot_etc_t, prelink_exec_t, mysqld_etc_t, krb5_conf_t, abrt_t, lib_t, etc_t, dovecot_auth_tmp_t, ld_so_t, oddjob_mkhomedir_exec_t, sysfs_t, usr_t, dbusd_etc_t, dovecot_auth_t, abrt_helper_exec_t, faillog_t, tmpfile, var_lib_t, updpwd_exec_t, chkpwd_exec_t, cert_type, etc_runtime_t, configfile, openct_var_run_t, samba_var_t, textrel_shlib_t, initrc_var_run_t, pcscd_var_run_t, sssd_var_lib_t, net_conf_t, rpm_script_tmp_t, ld_so_cache_t, dovecot_auth_exec_t, abrt_var_cache_t, system_dbusd_var_lib_t, rpm_tmp_t, configfile, abrt_var_run_t, sysctl_type, locale_t, bin_t, etc_t, sysctl_crypto_t, proc_t, krb5_host_rcache_t, prelink_exec_t, sysctl_kernel_t. | |
| Then execute: | |
| restorecon -v '/var/cpanel/hulkd/enabled' | |
| ***** Plugin catchall (17.1 confidence) suggests *************************** | |
| If you believe that dovecot-auth should be allowed getattr access on the enabled file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep /usr/local/cpan /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/local/cpanel/bin/dovecot-auth from write access on the file 0:cpanel. | |
| ***** Plugin catchall_labels (83.8 confidence) suggests ******************** | |
| If you want to allow dovecot-auth to have write access on the 0:cpanel file | |
| Then you need to change the label on 0:cpanel | |
| Do | |
| # semanage fcontext -a -t FILE_TYPE '0:cpanel' | |
| where FILE_TYPE is one of the following: dovecot_auth_tmp_t, dovecot_auth_t, afs_cache_t, faillog_t, initrc_var_run_t, pcscd_var_run_t. | |
| Then execute: | |
| restorecon -v '0:cpanel' | |
| ***** Plugin catchall (17.1 confidence) suggests *************************** | |
| If you believe that dovecot-auth should be allowed write access on the 0:cpanel file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep /usr/local/cpan /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/sshd from getattr access on the file /var/cpanel/hulkd/enabled. | |
| ***** Plugin catchall_labels (83.8 confidence) suggests ******************** | |
| If you want to allow sshd to have getattr access on the enabled file | |
| Then you need to change the label on /var/cpanel/hulkd/enabled | |
| Do | |
| # semanage fcontext -a -t FILE_TYPE '/var/cpanel/hulkd/enabled' | |
| where FILE_TYPE is one of the following: sysfs_t, sshd_t, usr_t, wtmp_t, krb5_keytab_t, sssd_public_t, sshd_keytab_t, user_tmp_t, xauth_exec_t, auth_cache_t, selinux_login_config_t, cfengine_var_log_t, ssh_home_t, ssh_agent_exec_t, mount_exec_t, shell_exec_t, crack_db_t, user_cron_spool_t, rssh_exec_t, ssh_home_t, sshd_key_t, prelink_exec_t, krb5_conf_t, krb5_home_t, passwd_exec_t, abrt_t, lib_t, etc_t, ld_so_t, oddjob_mkhomedir_exec_t, sysfs_t, usr_t, security_t, dbusd_etc_t, user_home_t, sshd_exec_t, fusermount_exec_t, abrt_helper_exec_t, pam_exec_t, faillog_t, nx_server_home_ssh_t, proc_afs_t, tmpfile, lastlog_t, proc_net_t, rssh_ro_t, updpwd_exec_t, chkpwd_exec_t, user_tmp_t, cert_type, etc_runtime_t, configfile, logfile, condor_var_lib_t, domain, openct_var_run_t, samba_var_t, textrel_shlib_t, initrc_var_run_t, pcscd_var_run_t, sshd_var_run_t, sssd_var_lib_t, pam_var_run_t, shutdown_exec_t, net_conf_t, rpm_script_tmp_t, public_content_t, sysctl_kernel_t, ld_so_cache_t, public_content_rw_t, user_home_t, abrt_var_cache_t, local_login_home_t, system_dbusd_var_lib_t, rpm_tmp_t, configfile, selinux_config_t, gitosis_var_lib_t, sshd_tmpfs_t, puppet_tmp_t, abrt_var_run_t, openshift_var_lib_t, openshift_tmp_t, fail2ban_var_lib_t, default_context_t, rlogind_home_t, nx_server_exec_t, cgroup_t, mail_spool_t, locale_t, var_auth_t, bin_t, etc_t, sysctl_crypto_t, proc_t, cluster_var_lib_t, cluster_var_run_t, security_t, shell_exec_t, root_t, cluster_conf_t, file_context_t, cluster_tmp_t, krb5_host_rcache_t, prelink_exec_t, sysctl_kernel_t, nfs_t. | |
| Then execute: | |
| restorecon -v '/var/cpanel/hulkd/enabled' | |
| ***** Plugin catchall (17.1 confidence) suggests *************************** | |
| If you believe that sshd should be allowed getattr access on the enabled file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep sshd /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/sshd from read access on the file pam. | |
| ***** Plugin catchall_labels (83.8 confidence) suggests ******************** | |
| If you want to allow sshd to have read access on the pam file | |
| Then you need to change the label on pam | |
| Do | |
| # semanage fcontext -a -t FILE_TYPE 'pam' | |
| where FILE_TYPE is one of the following: sysfs_t, sshd_t, usr_t, wtmp_t, krb5_keytab_t, sssd_public_t, sshd_keytab_t, user_tmp_t, xauth_exec_t, auth_cache_t, selinux_login_config_t, ssh_home_t, ssh_agent_exec_t, mount_exec_t, shell_exec_t, crack_db_t, user_cron_spool_t, rssh_exec_t, ssh_home_t, sshd_key_t, krb5_conf_t, krb5_home_t, passwd_exec_t, abrt_t, lib_t, etc_t, ld_so_t, oddjob_mkhomedir_exec_t, sysfs_t, usr_t, security_t, dbusd_etc_t, user_home_t, sshd_exec_t, afs_cache_t, fusermount_exec_t, abrt_helper_exec_t, pam_exec_t, faillog_t, nx_server_home_ssh_t, proc_afs_t, tmpfile, lastlog_t, proc_net_t, rssh_ro_t, updpwd_exec_t, chkpwd_exec_t, cert_type, etc_runtime_t, configfile, condor_var_lib_t, domain, openct_var_run_t, samba_var_t, textrel_shlib_t, initrc_var_run_t, pcscd_var_run_t, sshd_var_run_t, sssd_var_lib_t, pam_var_run_t, net_conf_t, rpm_script_tmp_t, public_content_t, sysctl_kernel_t, ld_so_cache_t, public_content_rw_t, system_dbusd_var_lib_t, configfile, selinux_config_t, gitosis_var_lib_t, sshd_tmpfs_t, puppet_tmp_t, abrt_var_run_t, openshift_var_lib_t, openshift_tmp_t, fail2ban_var_lib_t, default_context_t, rlogind_home_t, nx_server_exec_t, cgroup_t, locale_t, var_auth_t, bin_t, etc_t, sysctl_crypto_t, proc_t, cluster_var_lib_t, cluster_var_run_t, security_t, shell_exec_t, root_t, cluster_conf_t, file_context_t, cluster_tmp_t, krb5_host_rcache_t, prelink_exec_t, sysctl_kernel_t, nfs_t. | |
| Then execute: | |
| restorecon -v 'pam' | |
| ***** Plugin catchall (17.1 confidence) suggests *************************** | |
| If you believe that sshd should be allowed read access on the pam file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep sshd /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
| -------------------------------------------------------------------------------- | |
| SELinux is preventing /usr/sbin/sshd from write access on the sock_file cphulkd.sock. | |
| ***** Plugin catchall (100. confidence) suggests *************************** | |
| If you believe that sshd should be allowed write access on the cphulkd.sock sock_file by default. | |
| Then you should report this as a bug. | |
| You can generate a local policy module to allow this access. | |
| Do | |
| allow this access for now by executing: | |
| # grep sshd /var/log/audit/audit.log | audit2allow -M mypol | |
| # semodule -i mypol.pp | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment