Created
November 11, 2013 15:38
-
-
Save vandorjw/7415123 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| For a server not running X we need to have setools-console and optionally fpaste installed. | |
| fpaste will put the results on the fedora pastebin | |
| (| fpaste optional in each command) | |
| (shell) # yum install setools-console | |
| The following seems to check if booleans are set. | |
| (shell) sesearch -ASCT -s httpd_t -t postgresqld_port_t -c tcp_socket -p name_connect | fpaste | |
| Results will be similar to: | |
| Found 2 semantic av rules: | |
| ET allow httpd_t port_type : tcp_socket name_connect ; [ httpd_can_network_connect ] | |
| ET allow httpd_t postgresql_port_t : tcp_socket { recv_msg send_msg name_connect } ; [ httpd_can_network_connect_db | |
| ##DIAGNOSTIC STARTS HERE## | |
| The next command will check all AVC errors that occured today, and post the output to fedora pastebin. | |
| (shell) # ausearch -m avc -ts today | fpaste | |
| if you run the next command, then audit2hy will suggest some booleans to toggle if theres booleans for the functionality: | |
| (shell) # echo "avc: denied { name_connect } for pid=519 comm="httpd" dest=587 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket" | audit2why | |
| The statement in quotes came from todays errors | |
| (shell) # setsebool -P httpd_can_sendmail 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
when audit2why is not found, make sure to install policycoreutils-python