Sindbad~EG File Manager
����������������4���3���L�������������������1�������:���8�������s���V���z���g�������h���9���|�������(�������E���H�����������
���-���R���;!�������"��t���(#��I����#��~����$������f%��,���$&�� ���Q'������[(��m���w)�������+�������1������k2��/����3������M4������Z6��.���X8��b����:�������;�������=�������>������QA������JC�������E�������G�������I�������J��7����L�������N������QP��T���BQ�������R������9T�������U��S����W��P����W������MX��N���^Z��N����Z��U����Z��G���R[��]����[��O����[��k���H\��R����\��q����]��f���y]��V����]��F���7^��K���~^��V����^��E���!_��S���g_��j����_��B���&`��T���i`��T����`��^����c������rc������4d��t����e������4f��Z����g��?���.k��Z���nk�������k��Y���|n��U����n��6���,q������cr��C����t������6w��#����y��X����|��
���4}������B~������S������f��� ���|���
���������������z�������������������Յ������p�����������������������
���3�������e���)���_�������e������f���U���������������ي��������������r�������J�����������I���Տ������������������������������D���b���ޗ������A���\�����b���2���\�������+������c�������7�������<���������������������������������������%���ś��:������*���&�������Q�������a���/���r���:�������8���ݜ��T�������5���k���4�������x���֝��t���O���y���Ğ��T���>���7�������m���˟��a���9���U�������e������f���W���N�������g���
���:���u�����������E���¢��N�������F���W���I�������7������6��� ���c���W���'�������p������+���T���G�������G���ȥ��u���������������f��� ���h�������l������j���]���h���Ȩ��8���1���!���j���/�������������������̩��4���ܩ��$�������.���6�������e�������{���,�����������ê��?���ߪ��0�������1���P���]�������2������K�������2���_���]�������c����������T���,���d�����������d�������N��� �������X�������p���_���-���]�������E������-���1�������_���4���x���!�������'���ϰ��$������� �������_���=���R�������O������9���@���:���z���������������Ӳ������_�������#�������>���B������A���.���^���p���s���Ϸ������C�������ڸ��������������l���(���P�������y���V�������h���g���l������}���=�����������#�����������������������b���������������x�������@�������{���G���������������o�������������������>���{�����������������������c�������
�����������������������o���T���W�����������P�����������������������V�������b�������Q���H�����������{���^�����������n���������������-�������l�������z���x���������K���s���H���������������J��� ���O���k���P�������F�������U���S���C�������c������K���Q���p�������U�������A���d���@�������E������T���-���O�������U������^���(���E�������W�������#���%���W���I�����������R���V���m�����������������������<����
��_����
������O���^�������P���`���C�������Y�����������O���������������9���D�����������^�������q��� ���s���
���}���������������� ������}!��z����"�������"�������#��w���f$��w����$��i���V%�������%��.����&��Z����&��\��� '��e���}'��Q����'������5(������P(�������)�������)�������*������-+�������,�������/�������0�������1��{���)3��b����4�������5��\����5��b����5��\���`6��+����6��_����6��6���I7��D����7�������7������Q8������j8������w8��'����8��*����8��%����8������ 9�������9��0���,9��;���]9��9����9��K����9��2����:��)���R:��i���|:��d����:��n���K;��N����;��3��� <��U���=<��R����<��T����<��O���;=��X����=��A����=��I���&>��?���p>�������>��B����>��M����?��>���Q?��>����?��)����?��(����?��O���"@�� ���r@��i����@��%����@��?���#A��?���cA��l����A�������B��T����B��`����B��Z���VC��\����C��O����D��9���^D�������D��0����D�������D�������D��/����E��(���3E��-���\E�������E�������E��0����E�������E��7����E��*���5F��(���`F��Z����F��,����F��;����G��,���MG��]���zG��g����G������@H������PH������oH��T����H��N����H������&I������AI��H����I��H���"J��B���kJ��,����J�������J��3����J��!���.K��'���PK��*���xK��!����K��m����K��M���3L��J����L��8����L��6����M��!���<M������^M��W����M������;P������WP��A����P��.���:Q��h���iQ��W����Q������*R����������8���������������)���
�������w�����������G���������������D���^���$���������������o�������������������.����������������������������������5���%�������z�������;�����������:���T���������������@�����������p�����������R�������t�����������������������!�������u�������6���C�������3���x���0���W�����������������������`�������������������������������_�������~�������+���������������'���h�����������J���I�������������������e�����������g�������B�����������������������|���Y���*���c�������i�������������������������������������������,�������������������y���������������r�����������������������H�������}���N�����������A�����������2�������1�������s���q��� ���9�������&���������������������������k�������S���������������������������������������7���������������[�������V���������������������������������������-���M���U�������������������L�����������������������������������������������(�������F���E�������������������K���<���v�����������
�����������"�������f�������X���>���4���]�������n�������j���������������m�����������������������������������������������=���������������#��� �������/���{���\�������������������?�������������������d�������P���������������l���a�����������������������O���������������b�����������Q���������������Z��������
dac_override and dac_read_search capabilities usually indicates that the root process does not have access to a file based on the permission flags. This usually mean you have some file with the wrong ownership/permissions on it.
�
SELinux denied access requested by $SOURCE. It is not
expected that this access is required by $SOURCE and this access
may signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require
additional access.
�
SELinux denied access requested by $SOURCE. The current boolean
settings do not allow this access. If you have not setup $SOURCE to
require this access this may signal an intrusion attempt. If you do intend
this access you need to change the booleans on this system to allow
the access.
�
SELinux has denied $SOURCE "$ACCESS" access to device $TARGET_PATH.
$TARGET_PATH is mislabeled, this device has the default label of the /dev directory, which should not
happen. All Character and/or Block Devices should have a label.
You can attempt to change the label of the file using
restorecon -v '$TARGET_PATH'.
If this device remains labeled device_t, then this is a bug in SELinux policy.
Please file a bug report.
If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for $TARGET_PATH,
you can use chcon -t SIMILAR_TYPE '$TARGET_PATH', If this fixes the problem, you can make this permanent by executing
semanage fcontext -a -t SIMILAR_TYPE '$FIX_TARGET_PATH'
If the restorecon changes the context, this indicates that the application that created the device, created it without
using SELinux APIs. If you can figure out which application created the device, please file a bug report against this application.
�
Attempt restorecon -v '$TARGET_PATH' or chcon -t SIMILAR_TYPE '$TARGET_PATH'
�
Changing the "$BOOLEAN" boolean to true will allow this access:
"setsebool -P $BOOLEAN=1"
�
Changing the "$BOOLEAN" boolean to true will allow this access:
"setsebool -P $BOOLEAN=1."
�
Changing the "allow_ftpd_use_nfs" boolean to true will allow this access:
"setsebool -P allow_ftpd_use_nfs=1."
�
Changing the file_context to mnt_t will allow mount to mount the file system:
"chcon -t mnt_t '$TARGET_PATH'."
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t mnt_t '$FIX_TARGET_PATH'"
�
Confined domains should not require "sys_resource". This usually means that your system is running out some system resource like disk space, memory, quota etc. Please clear up the disk and this
AVC message should go away. If this AVC continues after you clear up the disk space, please report this as a bug.
�
Confined processes can be configured to run requiring different access, SELinux provides booleans to allow you to turn on/off
access as needed.
�
If httpd scripts should be allowed to write to public directories you need to turn on the $BOOLEAN boolean and change the file context of the public directory to public_content_rw_t. Read the httpd_selinux
man page for further information:
"setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>"
You must also change the default file context labeling files on the system in order to preserve public directory labeling even on a full relabel. "semanage fcontext -a -t public_content_rw_t <path>"
�
If you trust $TARGET_PATH to run correctly, you can change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'$TARGET_PATH'"
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH'"
�
If you want $SOURCE to continue, you must turn on the
$BOOLEAN boolean. Note: This boolean will affect all applications
on the system.
�
If you want httpd to send mail you need to turn on the
$BOOLEAN boolean: "setsebool -P
$BOOLEAN=1"
�
If you want to allow $SOURCE to bind to port $PORT_NUMBER, you can execute
# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER
where PORT_TYPE is one of the following: %s.
If this system is running as an NIS Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P allow_ypbind=1.
�
If you want to allow $SOURCE to connect to $PORT_NUMBER, you can execute
# sandbox -X -t sandbox_net_t $SOURCE
�
If you want to allow $SOURCE to connect to $PORT_NUMBER, you can execute
# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER
where PORT_TYPE is one of the following: %s.
�
If you want to change the file context of $TARGET_PATH so that the automounter can execute it you can execute "chcon -t bin_t $TARGET_PATH". If you want this to survive a relabel, you need to permanently change the file context: execute "semanage fcontext -a -t bin_t '$FIX_TARGET_PATH'".
�
SELinux denied $SOURCE access to $TARGET_PATH.
If this is a swapfile, it has to have a file context label of
swapfile_t. If you did not intend to use
$TARGET_PATH as a swapfile, this message could indicate either a bug or an intrusion attempt.
�
SELinux denied RSYNC access to $TARGET_PATH.
If this is an RSYNC repository, it has to have a file context label of
rsync_data_t. If you did not intend to use $TARGET_PATH as an RSYNC repository,
this message could indicate either a bug or an intrusion attempt.
�
SELinux denied access requested by $SOURCE. $SOURCE_PATH may
be mislabeled. $SOURCE_PATH default SELinux type is
<B>%s</B>, but its current type is <B>$SOURCE_TYPE</B>. Changing
this file back to the default type may fix your problem.
<p>
This file could have been mislabeled either by user error, or if an normally confined application
was run under the wrong domain.
<p>
However, this might also indicate a bug in SELinux because the file should not have been labeled
with this type.
<p>
If you believe this is a bug, please file a bug report against this package.
�
SELinux denied access requested by $SOURCE. $TARGET_PATH may
be mislabeled. $TARGET_PATH default SELinux type is
<B>%s</B>, but its current type is <B>$TARGET_TYPE</B>. Changing
this file back to the default type may fix your problem.
<p>
File contexts can be assigned to a file in the following ways.
<ul>
<li>Files created in a directory receive the file context of the parent directory by default.
<li>The SELinux policy might override the default label inherited from the parent directory by
specifying a process running in context A which creates a file in a directory labeled B
will instead create the file with label C. An example of this would be the dhcp client running
with the dhcpc_t type and creating a file in the directory /etc. This file would normally
receive the etc_t type due to parental inheritance but instead the file
is labeled with the net_conf_t type because the SELinux policy specifies this.
<li>Users can change the file context on a file using tools such as chcon, or restorecon.
</ul>
This file could have been mislabeled either by user error, or if an normally confined application
was run under the wrong domain.
<p>
However, this might also indicate a bug in SELinux because the file should not have been labeled
with this type.
<p>
If you believe this is a bug, please file a bug report against this package.
�
SELinux denied access requested by $SOURCE. $TARGET_PATH may
be mislabeled. openvpn is allowed to read content in home directory if it
is labeled correctly.
�
SELinux denied access requested by $SOURCE. $TARGET_PATH may
be mislabeled. sshd is allowed to read content in /root/.ssh directory if it
is labeled correctly.
�
SELinux denied access requested by $SOURCE. It is not
expected that this access is required by $SOURCE and this access
may signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require
additional access.
�
SELinux denied access requested by $SOURCE. It is not expected that this access is required by $SOURCE and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. mozplugger and spice-xpi run applications within mozilla-plugins that require access to the desktop, that the mozilla_plugin lockdown will not allow, so either you need to turn off the mozilla_plugin lockdown or not use these packages.
�
SELinux denied access requested by $SOURCE. It is not expected that this access is required by $SOURCE and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. spice-xpi run applications within mozilla-plugins that require access to the desktop, that the mozilla_plugin lockdown will not allow, so either you need to turn off the mozilla_plugin lockdown or not use these packages.
�
SELinux denied access requested by the $SOURCE command. It looks like this is either a leaked descriptor or $SOURCE output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the $TARGET_PATH. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc.
�
SELinux denied access to $TARGET_PATH requested by $SOURCE.
$TARGET_PATH has a context used for sharing by a different program. If you
would like to share $TARGET_PATH from $SOURCE also, you need to
change its file context to public_content_t. If you did not intend to
allow this access, this could signal an intrusion attempt.
�
SELinux denied cvs access to $TARGET_PATH.
If this is a CVS repository it needs to have a file context label of
cvs_data_t. If you did not intend to use $TARGET_PATH as a CVS repository
it could indicate either a bug or it could signal an intrusion attempt.
�
SELinux denied samba access to $TARGET_PATH.
If you want to share this directory with samba it has to have a file context label of
samba_share_t. If you did not intend to use $TARGET_PATH as a samba repository,
this message could indicate either a bug or an intrusion attempt.
Please refer to 'man samba_selinux' for more information on setting up Samba and SELinux.
�
SELinux denied svirt access to $TARGET_PATH.
If this is a virtualization image, it has to have a file context label of
virt_image_t. The system is setup to label image files in directory./var/lib/libvirt/images
correctly. We recommend that you copy your image file to /var/lib/libvirt/images.
If you really want to have your image files in the current directory, you can relabel $TARGET_PATH to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this
new path to the system defaults. If you did not intend to use $TARGET_PATH as a virtualization
image it could indicate either a bug or an intrusion attempt.
�
SELinux denied svirt access to the block device $TARGET_PATH.
If this is a virtualization image, it needs to be labeled with a virtualization file context (virt_image_t). You can relabel $TARGET_PATH to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this
new path to the system defaults. If you did not intend to use $TARGET_PATH as a virtualization
image it could indicate either a bug or an intrusion attempt.
�
SELinux denied xen access to $TARGET_PATH.
If this is a XEN image, it has to have a file context label of
xen_image_t. The system is setup to label image files in directory /var/lib/xen/images
correctly. We recommend that you copy your image file to /var/lib/xen/images.
If you really want to have your xen image files in the current directory, you can relabel $TARGET_PATH to be xen_image_t using chcon. You also need to execute semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH' to add this
new path to the system defaults. If you did not intend to use $TARGET_PATH as a xen
image it could indicate either a bug or an intrusion attempt.
�
SELinux has denied $SOURCE from connecting to a network port $PORT_NUMBER which does not have an SELinux type associated with it.
If $SOURCE should be allowed to connect on $PORT_NUMBER, use the <i>semanage</i> command to assign $PORT_NUMBER to a port type that $SOURCE_TYPE can connect to (%s).
If $SOURCE is not supposed
to connect to $PORT_NUMBER, this could signal an intrusion attempt.
�
SELinux has denied $SOURCE from connecting to a network port $PORT_NUMBER within a sandbox.
If $SOURCE should be allowed to connect on $PORT_NUMBER, you need to use a different sandbox type like sandbox_web_t or sandbox_net_t.
# sandbox -X -t sandbox_net_t $SOURCE
If $SOURCE is not supposed
to connect to $PORT_NUMBER, this could signal an intrusion attempt.
�
SELinux has denied the $SOURCE access to potentially
mislabeled files $TARGET_PATH. This means that SELinux will not
allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, %s.
Many third party apps install html files
in directories that SELinux policy cannot predict. These directories
have to be labeled with a file context which httpd can access.
�
SELinux has denied the $SOURCE from binding to a network port $PORT_NUMBER which does not have an SELinux type associated with it.
If $SOURCE should be allowed to listen on $PORT_NUMBER, use the <i>semanage</i> command to assign $PORT_NUMBER to a port type that $SOURCE_TYPE can bind to (%s).
If $SOURCE is not supposed
to bind to $PORT_NUMBER, this could signal an intrusion attempt.
�
SELinux has denied the $SOURCE the ability to mmap low area of the kernel
address space. The ability to mmap a low area of the address space is
configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings
helps protect against exploiting null deref bugs in the kernel. All
applications that need this access should have already had policy written
for them. If a compromised application tries to modify the kernel, this AVC
would be generated. This is a serious issue. Your system may very well be
compromised.
�
SELinux has denied the $SOURCE_PATH from executing potentially
mislabeled files $TARGET_PATH. Automounter can be setup to execute
configuration files. If $TARGET_PATH is an automount executable
configuration file it needs to have a file label of bin_t.
If automounter is trying to execute something that it is not supposed to, this could indicate an intrusion attempt.
�
SELinux has denied the http daemon from sending mail. An
httpd script is trying to connect to a mail port or execute the
sendmail command. If you did not setup httpd to sendmail, this could
signal an intrusion attempt.
�
SELinux has prevented $SOURCE from loading a kernel module.
All confined programs that need to load kernel modules should have already had policy
written for them. If a compromised application
tries to modify the kernel this AVC will be generated. This is a serious
issue. Your system may very well be compromised.
�
SELinux has prevented $SOURCE from modifying $TARGET. This denial
indicates $SOURCE was trying to modify the selinux policy configuration.
All applications that need this access should have already had policy
written for them. If a compromised application tries to modify the SELinux
policy this AVC will be generated. This is a serious issue. Your system
may very well be compromised.
�
SELinux has prevented $SOURCE from modifying $TARGET. This denial
indicates $SOURCE was trying to modify the way the kernel runs or to
actually insert code into the kernel. All applications that need this
access should have already had policy written for them. If a compromised
application tries to modify the kernel this AVC will be generated. This is a
serious issue. Your system may very well be compromised.
�
SELinux has prevented $SOURCE from writing to a file under /sys/fs/selinux.
Files under /sys/fs/selinux control the way SELinux is configured.
All programs that need to write to files under /sys/fs/selinux should have already had policy
written for them. If a compromised application tries to turn off SELinux
this AVC will be generated. This is a serious issue. Your system may very
well be compromised.
�
SELinux has prevented vbetool from performing an unsafe memory operation.
�
SELinux has prevented wine from performing an unsafe memory operation.
�
SELinux is preventing $SOURCE from creating a file with a context of $SOURCE_TYPE on a filesystem.
Usually this happens when you ask the cp command to maintain the context of a file when
copying between file systems, "cp -a" for example. Not all file contexts should be maintained
between the file systems. For example, a read-only file type like iso9660_t should not be placed
on a r/w system. "cp -p" might be a better solution, as this will adopt the default file context
for the destination.
�
SELinux is preventing $SOURCE_PATH "$ACCESS" access on $TARGET_PATH.
�
SELinux is preventing $SOURCE_PATH "$ACCESS" access to $TARGET_PATH.
�
SELinux is preventing $SOURCE_PATH "$ACCESS" access to device $TARGET_PATH.
�
SELinux is preventing $SOURCE_PATH "$ACCESS" to $TARGET_PATH.
�
SELinux is preventing $SOURCE_PATH access to a leaked $TARGET_PATH file descriptor.
�
SELinux is preventing $SOURCE_PATH from binding to port $PORT_NUMBER.
�
SELinux is preventing $SOURCE_PATH from changing the access
protection of memory on the heap.
�
SELinux is preventing $SOURCE_PATH from connecting to port $PORT_NUMBER.
�
SELinux is preventing $SOURCE_PATH from creating a file with a context of $SOURCE_TYPE on a filesystem.
�
SELinux is preventing $SOURCE_PATH from loading $TARGET_PATH which requires text relocation.
�
SELinux is preventing $SOURCE_PATH from making the program stack executable.
�
SELinux is preventing $SOURCE_PATH the "$ACCESS" capability.
�
SELinux is preventing $SOURCE_PATH the "sys_resource" capability.
�
SELinux is preventing Samba ($SOURCE_PATH) "$ACCESS" access to $TARGET_PATH.
�
SELinux is preventing access to a file labeled unlabeled_t.
�
SELinux is preventing cvs ($SOURCE_PATH) "$ACCESS" access to $TARGET_PATH
�
SELinux is preventing the $SOURCE_PATH from executing potentially mislabeled files $TARGET_PATH.
�
SELinux is preventing the http daemon from sending mail.
�
SELinux is preventing xen ($SOURCE_PATH) "$ACCESS" access to $TARGET_PATH.
�
SELinux permission checks on files labeled unlabeled_t are being
denied. unlabeled_t is a context the SELinux kernel gives to files
that do not have a label. This indicates a serious labeling
problem. No files on an SELinux box should ever be labeled unlabeled_t.
If you have just added a disk drive to the system, you can
relabel it using the restorecon command. For example if you saved the
home directory from a previous installation that did not use SELinux, 'restorecon -R -v /home' will fix the labels. Otherwise you should
relabel the entire file system.
�
SELinux policy is preventing an httpd script from writing to a public
directory.
�
SELinux policy is preventing an httpd script from writing to a public
directory. If httpd is not setup to write to public directories, this
could signal an intrusion attempt.
�
SELinux prevented $SOURCE from mounting a filesystem on the file
or directory "$TARGET_PATH" of type "$TARGET_TYPE". By default
SELinux limits the mounting of filesystems to only some files or
directories (those with types that have the mountpoint attribute). The
type "$TARGET_TYPE" does not have this attribute. You can change the
label of the file or directory.
�
SELinux prevented $SOURCE from mounting on the file or directory
"$TARGET_PATH" (type "$TARGET_TYPE").
�
SELinux prevented httpd $ACCESS access to $TARGET_PATH.
httpd scripts are not allowed to write to content without explicit
labeling of all files. If $TARGET_PATH is writable content. it needs
to be labeled httpd_sys_rw_content_t or if all you need is append you can label it httpd_sys_ra_content_t. Please refer to 'man httpd_selinux' for more information on setting up httpd and selinux.
�
SELinux prevented httpd $ACCESS access to http files.
Ordinarily httpd is allowed full access to all files labeled with http file
context. This machine has a tightened security policy with the $BOOLEAN
turned off, this requires explicit labeling of all files. If a file is
a cgi script it needs to be labeled with httpd_TYPE_script_exec_t in order
to be executed. If it is read only content, it needs to be labeled
httpd_TYPE_content_t. If it is writable content, it needs to be labeled
httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the
chcon command to change these context. Please refer to the man page
"man httpd_selinux" or
<a href="http://fedora.redhat.com/docs/selinux-apache-fc3">FAQ</a>
"TYPE" refers to one of "sys", "user" or "staff" or potentially other
script types.
�
SELinux prevented httpd $ACCESS access to http files.
�
SELinux prevented the ftp daemon from $ACCESS files stored on a CIFS filesystem.
�
SELinux prevented the ftp daemon from $ACCESS files stored on a CIFS filesystem.
CIFS (Comment Internet File System) is a network filesystem similar to
SMB (<a href="http://www.microsoft.com/mind/1196/cifs.asp">http://www.microsoft.com/mind/1196/cifs.asp</a>)
The ftp daemon attempted to read one or more files or directories from
a mounted filesystem of this type. As CIFS filesystems do not support
fine-grained SELinux labeling, all files and directories in the
filesystem will have the same security context.
If you have not configured the ftp daemon to read files from a CIFS filesystem
this access attempt could signal an intrusion attempt.
�
SELinux prevented the ftp daemon from $ACCESS files stored on a NFS filesystem.
�
SELinux prevented the ftp daemon from $ACCESS files stored on a NFS filesystem.
NFS (Network Filesystem) is a network filesystem commonly used on Unix / Linux
systems.
The ftp daemon attempted to read one or more files or directories from
a mounted filesystem of this type. As NFS filesystems do not support
fine-grained SELinux labeling, all files and directories in the
filesystem will have the same security context.
If you have not configured the ftp daemon to read files from a NFS filesystem
this access attempt could signal an intrusion attempt.
�
Sometimes a library is accidentally marked with the execstack flag,
if you find a library with this flag you can clear it with the
execstack -c LIBRARY_PATH. Then retry your application. If the
app continues to not work, you can turn the flag back on with
execstack -s LIBRARY_PATH.
�
The $SOURCE application attempted to change the access protection of memory on
the heap (e.g., allocated using malloc). This is a potential security
problem. Applications should not be doing this. Applications are
sometimes coded incorrectly and request this permission. The
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux Memory Protection Tests</a>
web page explains how to remove this requirement. If $SOURCE does not work and
you need it to work, you can configure SELinux temporarily to allow
this access until the application is fixed. Please file a bug
report against this package.
�
The $SOURCE application attempted to load $TARGET_PATH which
requires text relocation. This is a potential security problem.
Most libraries do not need this permission. Libraries are
sometimes coded incorrectly and request this permission. The
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux Memory Protection Tests</a>
web page explains how to remove this requirement. You can configure
SELinux temporarily to allow $TARGET_PATH to use relocation as a
workaround, until the library is fixed. Please file a bug report.
�
The $SOURCE application attempted to load $TARGET_PATH which
requires text relocation. This is a potential security problem.
Most libraries should not need this permission. The
<a href="http://people.redhat.com/drepper/selinux-mem.html">
SELinux Memory Protection Tests</a>
web page explains this check. This tool examined the library and it looks
like it was built correctly. So setroubleshoot can not determine if this
application is compromised or not. This could be a serious issue. Your
system may very well be compromised.
Contact your security administrator and report this issue.
�
The $SOURCE application attempted to make its stack
executable. This is a potential security problem. This should
never ever be necessary. Stack memory is not executable on most
OSes these days and this will not change. Executable stack memory
is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are
sometimes coded incorrectly and request this permission. The
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux Memory Protection Tests</a>
web page explains how to remove this requirement. If $SOURCE does not
work and you need it to work, you can configure SELinux
temporarily to allow this access until the application is fixed. Please
file a bug report.
�
Use a command like "cp -p" to preserve all permissions except SELinux context.
�
You can alter the file context by executing chcon -R -t cvs_data_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t cvs_data_t '$FIX_TARGET_PATH'"
�
You can alter the file context by executing chcon -R -t rsync_data_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t rsync_data_t '$FIX_TARGET_PATH'"
�
You can alter the file context by executing chcon -R -t samba_share_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH'"
�
You can alter the file context by executing chcon -t public_content_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t public_content_t '$FIX_TARGET_PATH'"
�
You can alter the file context by executing chcon -t swapfile_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t swapfile_t '$FIX_TARGET_PATH'"
�
You can alter the file context by executing chcon -t virt_image_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'"
�
You can alter the file context by executing chcon -t xen_image_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH'"
�
You can execute the following command as root to relabel your
computer system: "touch /.autorelabel; reboot"
�
You can generate a local policy module to allow this
access - see <a href="http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385">FAQ</a>
Please file a bug report.
�
You can generate a local policy module to allow this
access - see <a href="http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385">FAQ</a>
�
You can restore the default system context to this file by executing the
restorecon command.
# restorecon -R /root/.ssh
�
You can restore the default system context to this file by executing the
restorecon command.
# restorecon -R /root/.ssh
�
You can restore the default system context to this file by executing the
restorecon command. restorecon '$SOURCE_PATH'.
�
You can restore the default system context to this file by executing the
restorecon command. restorecon '$TARGET_PATH', if this file is a directory,
you can recursively restore using restorecon -R '$TARGET_PATH'.
�
Your system may be seriously compromised!
�
Your system may be seriously compromised! $SOURCE_PATH attempted to mmap low kernel memory.
�
Your system may be seriously compromised! $SOURCE_PATH tried to load a kernel module.
�
Your system may be seriously compromised! $SOURCE_PATH tried to modify SELinux enforcement.
�
Your system may be seriously compromised! $SOURCE_PATH tried to modify kernel configuration.
�
Disable IPV6 properly.
�
Either remove the mozplluger package by executing 'yum remove mozplugger'
Or turn off enforcement of SELinux over the Firefox plugins.
setsebool -P unconfined_mozilla_plugin_transition 0
�
Either remove the mozplugger or spice-xpi package by executing 'yum remove mozplugger spice-xpi' or turn off enforcement of SELinux over the Firefox plugins. setsebool -P unconfined_mozilla_plugin_transition 0
�
Either remove the mozplugger or spice-xpi package by executing 'yum remove mozplugger spice-xpi', or turn off enforcement of SELinux over the Chrome plugins. setsebool -P unconfined_chrome_sandbox_transition 0
�
If you decide to continue to run the program in question you will need
to allow this operation. This can be done on the command line by
executing:
# setsebool -P mmap_low_allowed 1
�
SELinux denied an operation requested by $SOURCE, a program used
to alter video hardware state. This program is known to use
an unsafe operation on system memory but so are a number of
malware/exploit programs which masquerade as vbetool. This tool is used to
reset video state when a machine resumes from a suspend. If your machine
is not resuming properly your only choice is to allow this
operation and reduce your system security against such malware.
�
SELinux denied an operation requested by wine-preloader, a program used
to run Windows applications under Linux. This program is known to use
an unsafe operation on system memory but so are a number of
malware/exploit programs which masquerade as wine. If you were
attempting to run a Windows program your only choices are to allow this
operation and reduce your system security against such malware or to
refrain from running Windows applications under Linux. If you were not
attempting to run a Windows application this indicates you are likely
being attacked by some for of malware or program trying to exploit your
system for nefarious purposes.
Please refer to
http://wiki.winehq.org/PreloaderPageZeroProblem
Which outlines the other problems wine encounters due to its unsafe use
of memory and solutions to those problems.
�
Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.�
You tried to place a type on a %s that is not a file type. This is not allowed, you must assigne a file type. You can list all file types using the seinfo command.
seinfo -afile_type -x
� Changing the "$BOOLEAN" and
"$WRITE_BOOLEAN" booleans to true will allow this access:
"setsebool -P $BOOLEAN=1 $WRITE_BOOLEAN=1".
warning: setting the "$WRITE_BOOLEAN" boolean to true will
allow the ftp daemon to write to all public content (files and
directories with type public_content_t) in addition to writing to
files and directories on CIFS filesystems. � Changing the "allow_ftpd_use_nfs" and
"ftpd_anon_write" booleans to true will allow this access:
"setsebool -P allow_ftpd_use_nfs=1 ftpd_anon_write=1".
warning: setting the "ftpd_anon_write" boolean to true will
allow the ftp daemon to write to all public content (files and
directories with type public_content_t) in addition to writing to
files and directories on NFS filesystems. �# ausearch -x $SOURCE_PATH --raw | audit2allow -D -M my-$SOURCE
# semodule -X 300 -i my-$SOURCE.pp�# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
where FILE_TYPE is one of the following: %s.
Then execute:
restorecon -v '$FIX_TARGET_PATH'
�# semanage fcontext -a -t SIMILAR_TYPE '$FIX_TARGET_PATH'
# restorecon -v '$FIX_TARGET_PATH'�# semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH%s'
# restorecon %s -v '$FIX_TARGET_PATH'�# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'
# restorecon -v '$FIX_TARGET_PATH'�# semanage port -a -t %s -p %s $PORT_NUMBER�# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER
where PORT_TYPE is one of the following: %s.�A process might be attempting to hack into your system.�Add
net.ipv6.conf.all.disable_ipv6 = 1
to /etc/sysctl.conf
�Allow this access for now by executing:
# ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME
# semodule -X 300 -i my-$MODULE_NAME.pp�Change file context.�Change label�Change label on the library.�Change the file label to xen_image_t.�Contact your security administrator and report this issue.�Disable SELinux controls on Chrome plugins�Enable booleans�Enable booleans.�If $TARGET_BASE_PATH is a virtualization target�If $TARGET_BASE_PATH should be shared via the RSYNC daemon�If $TARGET_BASE_PATH should be shared via the cvs daemon�If you believe $SOURCE_BASE_PATH should be allowed to create $TARGET_BASE_PATH files�If you believe $SOURCE_PATH tried to disable SELinux.�If you believe that
%s
should not require execstack�If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on $TARGET_CLASS labeled $TARGET_TYPE by default.�If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on processes labeled $TARGET_TYPE by default.�If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on the $TARGET_BASE_PATH $TARGET_CLASS by default.�If you believe that $SOURCE_BASE_PATH should have the $ACCESS capability by default.�If you did not directly cause this AVC through testing.�If you do not believe that $SOURCE_PATH should be attempting to modify the kernel by loading a kernel module.�If you do not believe your $SOURCE_PATH should be modifying the kernel, by loading kernel modules�If you do not think $SOURCE_BASE_PATH should try $ACCESS access on $TARGET_BASE_PATH.�If you do not think $SOURCE_PATH should need to map heap memory that is both writable and executable.�If you do not think $SOURCE_PATH should need to map stack memory that is both writable and executable.�If you do not think $SOURCE_PATH should need to mmap low memory in the kernel.�If you do not want processes to require capabilities to use up all the system resources on your system;�If you think this is caused by a badly mislabeled machine.�If you want to %s�If you want to allow $SOURCE_BASE_PATH to mount on $TARGET_BASE_PATH.�If you want to allow $SOURCE_PATH to be able to write to shared public content�If you want to allow $SOURCE_PATH to bind to network port $PORT_NUMBER�If you want to allow $SOURCE_PATH to connect to network port $PORT_NUMBER�If you want to allow ftpd to write to cifs file systems�If you want to allow ftpd to write to nfs file systems�If you want to allow httpd to execute cgi scripts and to unify HTTPD handling of all content files.�If you want to allow httpd to send mail�If you want to change the label of $TARGET_PATH to %s, you are not allowed to since it is not a valid file type.�If you want to disable IPV6 on this machine�If you want to fix the label.
$SOURCE_PATH default label should be %s.�If you want to fix the label.
$TARGET_PATH default label should be %s.�If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system�If you want to ignore $SOURCE_BASE_PATH trying to $ACCESS access the $TARGET_BASE_PATH $TARGET_CLASS, because you believe it should not need this access.�If you want to ignore this AVC because it is dangerous and your machine seems to be working correctly.�If you want to ignore this AVC because it is dangerous and your wine applications are working correctly.�If you want to modify the label on $TARGET_BASE_PATH so that $SOURCE_BASE_PATH can have $ACCESS access on it�If you want to mv $TARGET_BASE_PATH to standard location so that $SOURCE_BASE_PATH can have $ACCESS access�If you want to to continue using SELinux Firefox plugin containment rather then using mozplugger package�If you want to treat $TARGET_BASE_PATH as public content�If you want to use the %s package�Relabel the whole file system. Includes reboot!�Restore
Context�Restore Context�SELinux is preventing $SOURCE_PATH "$ACCESS" access.�Set the image label to virt_image_t.�This is caused by a newly created file system.�Try to fix the label.�Turn off memory protection�You can read '%s' man page for more details.�You might have been hacked.�You must tell SELinux about this by enabling the '%s' boolean.
�You need to change the label on $FIX_TARGET_PATH�You need to change the label on $TARGET_BASE_PATH�You need to change the label on $TARGET_BASE_PATH to public_content_t or public_content_rw_t.�You need to change the label on $TARGET_BASE_PATH'�You need to change the label on $TARGET_PATH to a type of a similar device.�You need to change the label on '$FIX_TARGET_PATH'�You should report this as a bug.
You can generate a local policy module to allow this access.�You should report this as a bug.
You can generate a local policy module to dontaudit this access.�execstack -c %s�if you think that you might have been hacked�setsebool -P %s %s�turn on full auditing to get path information about the offending file and generate the error again.�use a command like "cp -p" to preserve all permissions except SELinux context.�you can run restorecon.�you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.�you may be under attack by a hacker, since confined applications should never need this access.�you may be under attack by a hacker, since confined applications should not need this access.�you may be under attack by a hacker, this is a very dangerous access.�you must change the labeling on $TARGET_PATH.�you must fix the labels.�you must move the cert file to the ~/.cert directory�you must pick a valid file label.�you must remove the mozplugger package.�you must setup SELinux to allow this�you must tell SELinux about this�you must tell SELinux about this by enabling the 'httpd_unified' and 'http_enable_cgi' booleans�you must tell SELinux about this by enabling the vbetool_mmap_zero_ignore boolean.�you must tell SELinux about this by enabling the wine_mmap_zero_ignore boolean.�you must turn off SELinux controls on the Chrome plugins.�you must turn off SELinux controls on the Firefox plugins.�you need to add labels to it.�you need to change the label on $TARGET_PATH to public_content_rw_t, and potentially turn on the allow_httpd_sys_script_anon_write boolean.�you need to diagnose why your system is running out of system resources and fix the problem.
According to /usr/include/linux/capability.h, sys_resource is required to:
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
�you need to fully relabel.�you need to modify the sandbox type. sandbox_web_t or sandbox_net_t.
For example:
sandbox -X -t sandbox_net_t $SOURCE_PATH
Please read 'sandbox' man page for more details.
�you need to report a bug.
This is a potentially dangerous access.�you need to report a bug. This is a potentially dangerous access.�you need to set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and do not blacklist the module'�you need to use a different command. You are not allowed to preserve the SELinux context on the target file system.�you should clear the execstack flag and see if $SOURCE_PATH works correctly.
Report this as a bug on %s.
You can clear the exestack flag by executing:�Project-Id-Version: PACKAGE VERSION
Report-Msgid-Bugs-To:
POT-Creation-Date: 2021-09-07 17:26+0200
PO-Revision-Date: 2021-09-17 07:27+0000
Last-Translator: Ludek Janda <ljanda@redhat.com>
Language-Team: Chinese (Simplified) <https://translate.fedoraproject.org/projects/setroubleshoot/plugins/zh_CN/>
Language: zh_CN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Plural-Forms: nplurals=1; plural=0;
X-Generator: Weblate 4.8
�
dac_override 和 dac_read_search 功能通常说明,鉴于权限标签,root 进程在无法访问某个文件。这通常意味着有些文件的所有者/权限是错误的。
�
SELinux 拒绝了 $SOURCE 的访问请求。
$SOURCE 并不应请求这种访问,它可能是尝试入侵的一
个信号。也可能是应用程序的特别版本或配置导致它请求额外的访问。
�
SELinux 拒绝了由 $SOURCE 发起的访问请求。当前布尔值设置不允许此访问。
如果未设置 $SOURCE 请求此访问,那么这可能是企图入侵的信号。
如果确实需要此访问权限,则需要将此系统上的布尔值修改为允许访问。
�
SELinux否认了 $SOURCE “$ACCESS“访问设备 $TARGET_路径。 $TARGET_PATH标签错误,此设备具有/ dev目录的默认标签,不应该发生。所有字符和/或块设备都应该有标签。您可以尝试使用restorecon -v'更改文件的标签$TARGET_路径'。如果此设备仍标记为device_t,则这是SELinux策略中的错误。请提交错误报告。如果你看看其他类似的设备标签,ls -lZ / dev / SIMILAR,并找到一个适合的类型 $TARGET_PATH,你可以使用chcon -t SIMILAR_TYPE'$TARGET_PATH',如果这样可以解决问题,可以通过执行semanage fcontext -a -t SIMILAR_TYPE'来使其永久化$FIX_TARGET_PATH'如果restorecon更改了上下文,则表示创建设备的应用程序在不使用SELinux API的情况下创建了它。如果您可以确定哪个应用程序创建了该设备,请提交针对此应用程序的错误报告。
�
尝试 restorecon -v '$TARGET_PATH' 或 chcon -t SIMILAR_TYPE '$TARGET_PATH'
�
将 "$BOOLEAN" 布尔值修改为“true”可允许此访问:
"setsebool -P $BOOLEAN=1"
�
将 "$BOOLEAN" 布尔值修改为“true”即可允许本访问:
"setsebool -P $BOOLEAN=1."
�
将 "allow_ftpd_use_nfs" 的布尔值改为“true”可允许此访问:
"setsebool -P allow_ftpd_use_nfs=1."
�
将 file_context 改为 mnt_t 可允许 mount 挂载文件系统:
"chcon -t mnt_t '$TARGET_PATH'。"
还必须更改系统中的默认文件环境文件以便即使在完全重新标记时也可以保留它们。"semanage fcontext -a -t mnt_t '$FIX_TARGET_PATH'"
�
限制域不应该需要“sys_resource”。这通常意味着您的某些系统资源已用尽,比如磁盘空间、内存、配额等等。请清理该磁盘,
此 AVC 信息就会消失。如果在清理磁盘后此 AVC 仍然出现,请将其作为 bug 报告提交。
�
受限制的进程可以配置为需要在不同访问权限下运行, SELinux 提供布尔值以便允许您根据需要打开或关闭
访问权限。
�
如果应允许 httpd 脚本写入公共目录,则需要打开 $BOOLEAN 布尔值,并且将公共目录的文件环境改为 public_content_rw_t。详情请查看阅读 httpd_selinux
的 man page:
"setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>"
另外,还必须更改系统默认文件环境的标记文件,以便即使在完全重新标记时仍可保留公共目录的标记。 "semanage fcontext -a -t public_content_rw_t <path>"
�
如果您确信 $TARGET_PATH 可正常运行,则可将文件环境 (context)
改为 textrel_shlib_t。"chcon -t textrel_shlib_t
'$TARGET_PATH'"
您还必须修改系统中的默认文件环境文件,以便即使在完全重新标记 (relabel) 后也能保留它们。"semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH'"
�
如果想让 $SOURCE 继续执行, 必须将
$BOOLEAN 布尔值设为开启。注意:该布尔值将会影响系统中的
所有应用程序。
�
如果要允许 httpd 发送电子邮件,则需要开启 $BOOLEAN 布尔值:
"setsebool -P $BOOLEAN=1"
�
如果要允许 $SOURCE 捆绑到端口 $PORT_NUMBER,可以执行
# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER
其中 PORT_TYPE 是以下之一:%s。
如果这个系统是作为 NIS 客户端运行,打开 allow_ypbind 布尔值可纠正这个问题。setsebool -P allow_ypbind=1。
�
如果要允许 $SOURCE 连接到 $PORT_NUMBER 端口,您可以执行
# sandbox -X -t sandbox_net_t $SOURCE
�
如果要允许 $SOURCE 连接到 $PORT_NUMBER,可执行
# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER
其中 PORT_TYPE 是以下之一:%s。
�
如果要更改 $TARGET_PATH 的文件上下文以便自动挂载程序可执行它,则可执行 "chcon -t bin_t $TARGET_PATH"。如果要在重新标记后仍保留它,则需要永久更改文件上下文: 请执行 "semanage fcontext -a -t bin_t '$FIX_TARGET_PATH'"。
�
SELinux否认了 $SOURCE 进入 $TARGET_路径。如果这是交换文件,则必须具有swapfile_t的文件上下文标签。如果你不打算使用 $TARGET_PATH作为交换文件,此消息可能表示错误或入侵企图。
�
SELinux拒绝RSYNC访问 $TARGET_路径。如果这是一个RSYNC存储库,则必须具有rsync_data_t的文件上下文标签。如果你不打算使用 $TARGET_PATH作为RSYNC存储库,此消息可能指示错误或入侵企图。
�
SELinux拒绝了请求的访问权限 $SOURCE。 $SOURCE_PATH可能被贴错了标签。 $SOURCE_PATH默认SELinux类型是 <B>%s</B>, ,但它目前的类型是 <B>$SOURCE_类型</B>。将此文件更改回默认类型可能会解决您的问题。 <p>此文件可能由于用户错误而错误标记,或者如果在错误的域下运行通常受限的应用程序。 <p>但是,这也可能表示SELinux中存在错误,因为该文件不应使用此类型标记。 <p>如果您认为这是一个错误,请提交针对此包的错误报告。
�
SELinux拒绝了请求的访问权限 $SOURCE。 $TARGET_PATH可能被贴错了标签。 $TARGET_PATH默认SELinux类型是 <B>%s</B>, ,但它目前的类型是 <B>$TARGET_TYPE类型</B>。将此文件更改回默认类型可能会解决您的问题。 <p>可以通过以下方式将文件上下文分配给文件。 <ul> <li>默认情况下,目录中创建的文件会接收父目录的文件上下文。 <li>SELinux策略可以通过指定在上下文A中运行的进程来覆盖从父目录继承的默认标签,该进程在标记为B的目录中创建文件,而是创建带有标签C的文件。这样的一个例子是运行的dhcp客户端dhcpc_t类型并在目录 /etc中创建一个文件。由于父级继承,此文件通常会收到etc_t类型,而是使用net_conf_t类型标记文件,因为SELinux策略指定了此类。 <li>用户可以使用chcon或restorecon等工具更改文件上的文件上下文。 </ul>此文件可能由于用户错误而错误标记,或者如果在错误的域下运行通常受限的应用程序。 <p>但是,这也可能表示SELinux中存在错误,因为该文件不应使用此类型标记。 <p>如果您认为这是一个错误,请提交针对此包的错误报告。
�
SELinux拒绝了请求的访问权限 $SOURCE。 $TARGET_PATH可能被贴错了标签。如果标记正确,openvpn可以读取主目录中的内容。
�
SELinux拒绝了请求的访问权限 $SOURCE。 $TARGET_PATH可能被贴错了标签。如果标记正确,则允许sshd读取/root/.ssh目录中的内容。
�
SELinux 拒绝了 $SOURCE 的访问请求。这不该是
$SOURCE 所需要的访问请求故此这个请求
可能代表一个入侵企图。 也可能是特定
版本或应用程序的配置导致其需要
额外访问。
�
SELinux 拒绝了 $SOURCE 的访问请求。$SOURCE 不该需要此访问权限。因此这可能是企图入侵的信号。然而这也可能是应用程序的特定版本或配置导致其需要此额外访问权限。spice-xpi 在需要访问桌面的 mozilla 插件中运行程序,而这是 mozilla_plugin lockdown 所不允许的,因此只能关闭 mozilla_plugin lockdown,或不使用这些软件包。
�
SELinux 拒绝了 $SOURCE 的访问请求。这不该是 $SOURCE 所需要的访问请求,因此该请求可能是尝试入侵的信号。 当然这也可能是应用程序的特定版本或配置导致其需要额外的访问权限。spice-xpi 在需要访问桌面的 mozilla 插件中运行程序,而 mozilla_plugin lockdown 不允许此操作,因此您只能关闭 mozilla 插件锁定功能,或者不使用这些软件包。
�
SELinux 拒绝了 $SOURCE 命令的访问请求。看起来可能是描述符泄露,也可能是将 $SOURCE 的输出重定向到了无权访问的文件。泄露一般可忽略,因为 SELinux 会关闭泄露并报告该错误。如果程序不使用描述符,则可正常运行。如果是一个重定向,您在 $TARGET_PATH 中就不会看到输出。您应该可以根据 selinux-policy 生成一个 bugzilla,并被指向适当的软件包。可以忽略此 avc。
�
SELinux 拒绝了 $SOURCE 请求的对 $TARGET_PATH 的访问。
$TARGET_PATH 具有一个用于被不同程序共享的上下文。如果您想
让 $SOURCE 也共享 $TARGET_PATH ,您需要将它的文件上下文改
为 public_content_t。如果没有打算进行这个访问,这可能是入侵尝试的信号。
�
SELinux 拒绝了cvs 访问 $TARGET_PATH。
如果这是一个 CVS 程序库,它应具有文件环境标记 cvs_data_t。
如果您并没有打算将 $TARGET_PATH 作为 CVS 程序库使用,这可能是
一个 bug 或是尝试入侵的信号。
�
SELinux拒绝了samba访问权限 $TARGET_路径。如果要与samba共享此目录,则必须具有samba_share_t的文件上下文标签。如果你不打算使用 $TARGET_PATH作为samba存储库,此消息可能指示错误或入侵尝试。有关设置Samba和SELinux的更多信息,请参阅“man samba_selinux”。
�
SELinux 拒绝了 svirt 访问 $TARGET_PATH。
如果这是一个虚拟镜像,它应当有一个 virt_image_t 文件上下文标签。
该系统已被设置为在目录 ./var/lib/libvirt/images 中正确标记镜像文件。我们建议把您的镜像文件复制到 /var/lib/libvirt/images 目录中。
如果您希望将镜像文件保存在当前目录下,则可以使用 chcon 将 $TARGET_PATH 重新标记为 virt_image_t。您还需要执行 semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' 将这个新路径添加到系统默认中。如果没有希望使用 $TARGET_PATH 作为虚拟镜像,那么这可能意味着一个 Bug 或是入侵尝试的信号。
�
SELinux 拒绝对块设备进行 Svirt 访问$TARGET_PATH。如果这是虚拟化镜像,则需要使用虚拟化文件上下文(virt_image_t)进行标记。您可以使用 chcon 重新标记$TARGET_PATH 为 virt_image_t。您还需要执行semanage fcontext -a -t virt_image_t' $FIX_TARGET_PATH' 将此新路径添加到系统默认值中。如果您没有使用$TARGET_PATH做为虚拟化镜像,则可能表示错误或入侵尝试。
�
SELinux 拒绝了 xen 访问 $TARGET_PATH。
如果这是一个 XEN 映像,它应当有一个 xen_image_t 文件上下文标签。
已经将该系统设置为在目录 /var/lib/xen/images 中标记映像文件
如果确实希望将 xen 映像保存在当前目录下,则可以使用 chcon 将 $TARGET_PATH 重新标记为 xen_image_t。还需要执行 semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH' 将这个新路径添加到系统默认中。如果没想要使用 $TARGET_PATH 作为 xen 映像,那么这可能意味着一个 Bug 或是入侵尝试的信号。
�
SELinux否认了 $SOURCE 从连接到网络端口 $PORT_NUMBER没有与之关联的SELinux类型。如果 $SOURCE 应该被允许连接 $PORT_NUMBER,使用 <i>semanage的</i> 命令分配 $PORT_NUMBER到一个端口类型 $SOURCE_TYPE可以连接到(%s)。如果 $SOURCE 不应该连接到 $PORT_NUMBER,这可能是一次入侵企图。
�
SELinux否认了 $SOURCE 从连接到网络端口 $PORT_NUMBER在沙箱中。如果 $SOURCE 应该被允许连接 $PORT_NUMBER,您需要使用不同的沙箱类型,例如sandbox_web_t或sandbox_net_t。 #sandbox -X -t sandbox_net_t $SOURCE如果 $SOURCE 不应该连接到 $PORT_NUMBER,这可能是一次入侵企图。
�
SELinux 拒绝了 $SOURCE 对可能错误标记文件 $TARGET_PATH
的访问。这意味着 SELinux 将不允许 httpd 使用这些文件。如果应该允许 httpd
访问这些文件,那么您应该将该文件的上下文更改为以下类型 %s。
许多第三方应用程
序将 html 文件安装在 SELinux 策略无法预知的目录。这些目录必须以一个
httpd 能访问的文件上下文被标记。
�
SELinux 已拒绝 $SOURCE 绑定网络端口 $PORT_NUMBER,没有 SELinux 类型与之关联。
如果应允许 $SOURCE 侦听 $PORT_NUMBER 端口,则可使用 <i>semanage</i> 命令将 $PORT_NUMBER 端口指定为 $SOURCE_TYPE 可绑定的端口类型 (%s)。
如果 $SOURCE 不应绑定到 $PORT_NUMBER 端口,那么这可能是企图入侵的信号。
�
SELinux否认了这一点 $SOURCE 能够mmap内核地址空间的低区域。 mmap低地址空间的能力由/ proc / sys / kernel / mmap_min_addr配置。防止这样的映射有助于防止利用内核中的null deref错误。所有需要此访问权限的应用程序都应该已经为它们编写了策略。如果受损的应用程序尝试修改内核,则会生成此AVC。这是一个严重的问题。您的系统可能会受到损害。
�
SELinux 已经拒绝 $SOURCE_PATH 执行可能错
误标记的文件 $TARGET_PATH。可将 automounter 设置为
执行配置文件,如果 $TARGET_PATH 是一个自动挂载可执行
配置文件,则需要有一个 bin_t 文件标记。
如果 automounter 正在试图执行它不应该执行的动作, 则可能是一个入侵攻击提示。
�
SELinux拒绝了http守护进程发送邮件。 httpd脚本正在尝试连接到邮件端口或执行sendmail命令。如果您没有将httpd设置为sendmail,则可能表示入侵尝试。
�
SELinux 已阻止 $SOURCE 加载一个内核模块。
所有需加载内核模块的受限程序应该都已拥有了
各自的策略。如果有被入侵的应用程序尝试修改
内核,此 AVC 就会产生。此问题很严重。
您的系统很有可能已被破坏。
�
SELinux 已阻止 $SOURCE 修改 $TARGET。该阻止措施表明
$SOURCE 正尝试修改 selinux 策略配置。
所有需要此访问权限的应用程序均有各自的策略。
如果有被入侵的应用尝试修改 SELinux
策略,就会触发这个 AVC。这个一个严重问题。
您的系统很有可能已被破坏。
�
SELinux 已阻止 $SOURCE 修改 $TARGET。该阻
止表明 $SOURCE 正尝试修改内核运行方式或实际
上在内核中插入代码。所有需要此访问权限的应用
均已获得了各自的策略。如果有被入侵的应用尝试
修改内核,本 AVC 就会被触发。此问题很严重。
您的系统很有可能已被入侵。
�
SELinux阻止了 $SOURCE 从写入到/ sys / fs / selinux下的文件。 / sys / fs / selinux下的文件控制SELinux的配置方式。需要写入/ sys / fs / selinux下的文件的所有程序都应该已经为它们编写了策略。如果受损的应用程序试图关闭SELinux,则会生成此AVC。这是一个严重的问题。您的系统可能会受到损害。
�
SELinux 阻止了 vbetool 执行一项不安全的内存操作。
�
SELinux 阻止了 wine 执行一项不安全的内存操作。
�
SELinux 正阻止 $SOURCE 在文件系统中创建带有 $SOURCE_TYPE 环境 (context) 的文件。
这通常是在文件系统间拷贝文件时,要求 cp 命令保留文件的环境属性时发生。
比如 "cp -a"。在跨文件系统的情况下,并不是所有的文件环境属性都应当保留。
比如像 iso9660_t 这样的只读文件类型就不应该放在可读写的文件系统中。
"cp -p" 会是更好地解决方案,因为这样可以针对目标位置设置默认的文件环境。
�
SELinux 将阻止 $SOURCE "$ACCESS" 访问设备 $TARGET_PATH。
�
SELinux 将阻止 $SOURCE_PATH "$ACCESS" 访问设备 $TARGET_PATH。
�
SELinux 正在阻止 $SOURCE_PATH "$ACCESS" 访问设备 $TARGET_PATH.
�
SELinux 正在阻止 $SOURCE_PATH "$ACCESS" $TARGET_PATH。
�
SELinux 正在阻止 $SOURCE 访问泄漏的文件描述符 $TARGET_PATH。
�
SELinux 将阻止 $SOURCE 绑定到端口 $PORT_NUMBER。
�
SELinux 将阻止 $SOURCE 修改堆上
的内存 (memory on the heap) 访问保护。
�
SELinux 正在阻止 $SOURCE_PATH 连接到端口 $PORT_NUMBER。
�
SELinux 正在阻止 $SOURCE_PATH 在文件系统中生成一个上下文为 $SOURCE_TYPE 的文件。
�
SELinux 将阻止 $SOURCE 加载需要重新定位文本的 $TARGET_PATH。
�
SELinux 将阻止 $SOURCE_PATH 使程序栈可执行。
�
SELinux 会阻止 $SOURCE_PATH 的 "$ACCESS" 功能。
�
SELinux 将防止 $SOURCE_PATH 的 "sys_resource" 功能。
�
SELinux 正在阻止 Samba ($SOURCE_PATH) "$ACCESS" 访问 $TARGET_PATH。
�
SELinux 阻止对一个被标记为 unlabeled_t 的文件的访问。
�
SELinux 正在阻止 cvs ($SOURCE_PATH) "$ACCESS" 访问设备 $TARGET_PATH
�
SELinux 正在阻止 $SOURCE_PATH 执行可能错误标记的文件 $TARGET_PATH 。
�
SELinux 正在阻止 http 守护进程发送电子邮件。
�
SELinux 正在阻止xen ($SOURCE_PATH) "$ACCESS" 访问设备 $TARGET_PATH。
�
SELinux 对标记为 unlabeled_t 的文件的权限检查被拒绝。 unlabeled_t 是 SELinux 内核为没有标签的文件提供的上下文。这表明存在严重的标签问题。 SELinux 系统上的任何文件都不应标记为unlabeled_t。如果您刚刚将磁盘驱动器添加到系统,则可以使用 restorecon 命令对其重新标记。例如,如果您从以前未使用 SELinux 的安装中保存了主目录,则 'restorecon -R -v / home' 将修复标签问题。否则,您应该重新标记整个文件系统。
�
SELinux 策略正在阻止 httpd 脚本在公共
目录中写入内容。
�
SELinux 策略正在阻止 httpd 脚本向公共目录写入内容。
如果没有将 httpd 设置为可写入公共目录,
这可能是尝试入侵的信号。
�
SELinux 已阻止 $SOURCE 在类型为 $TARGET_TYPE 的文件或
目录 $TARGET_PATH 上挂载文件系统。SELinux 默认会限制将
文件系统只挂载到某些文件或目录(这些文件或目录均具有挂载点属性。)
而 $TARGET_TYPE 没有此种属性。可修改对应文件或目录的标记。
�
SELinux 阻止了 $SOURCE 挂载文件或者目录
"$TARGET_PATH" (类型为 "$TARGET_TYPE")。
�
SELinux 已阻止 httpd $ACCESS 访问 $TARGET_PATH。
没有明确标记所有文件前,httpd 脚本不能写入内容。
如果 $TARGET_PATH 是可写入文件,需要将其标记为
httpd_sys_rw_content_t,或者如果您只想要向其中附加内容,
也可以将其标记为 httpd_sys_ra_content_t。 关于设置 httpd 和 selinux 的更多详细信息请参考“man httpd_selinux”。
�
SELinux阻止了httpd $ACCESS 访问http文件。通常,httpd允许完全访问标有http文件上下文的所有文件。这台机器有一个严格的安全策略 $BOOLEAN关闭,这需要明确标记所有文件。如果文件是cgi脚本,则需要使用httpd_TYPE_script_exec_t标记以便执行。如果它是只读内容,则需要标记为httpd_TYPE_content_t。如果它是可写内容,则需要标记为httpd_TYPE_script_rw_t或httpd_TYPE_script_ra_t。您可以使用chcon命令更改这些上下文。请参阅手册页“man httpd_selinux”或 <a href="http://fedora.redhat.com/docs/selinux-apache-fc3">常问问题</a>“TYPE”指的是“sys”,“user”或“staff”之一或可能是其他脚本类型。
�
SELinux 阻止 httpd $ACCESS 访问 http 文件。
�
SELinux 已阻止 ftp 守护进程 $ACCESS 保存在 CIFS 文件系统中的文件。
�
SELinux 阻止了 ftp 守护进程 $ACCESS 保存在 CIFS 文件系统中的文件。
CIFS (Comment Internet File System) 是类似于 SMB (<a href="http://www.microsoft.com/mind/1196/cifs.asp">http://www.microsoft.com/mind/1196/cifs.asp</a>) 的文件系统。
ftp 守护进程尝试从已挂载的此类文件系统中读取一个或多个文件或目录。
因 CIFS 文件系统不支持精细的 SELinux 标签,因此文件系统中的所有文件
和目录拥有相同的安全环境 (security context)。
如果并未将让 ftp 守护进程配置为读取位于 CIFS 文件系统的文件,那么这样
的尝试很有可能是入侵的信号。
�
SELinux 阻止了 ftp 守护进程 $ACCESS 保存在 NFS 文件系统中的文件。
�
SELinux 阻止了 ftp 守护进程 $ACCESS 保存在 NFS 文件系统中的文件。
NFS (Network Filesystem) 是广泛用于 Unix 及 Linux 的网络文件系统。
ftp 守护进程尝试从已挂载的此类文件系统中读取一个或多个文件或目录。
因 NFS 文件系统不支持精细的 SELinux 标记,因此文件系统中的所有文件
和目录拥有相同的安全环境 (security context)。
如果并未将 ftp 守护进程配置为读取位于 NFS 文件系统中的文件,那么这样
的尝试很有可能是入侵的信号。
�
有时库文件会意外被标上 execstack 标记。如果您发现有
库带有此标记,您可以使用命令 execstack -c LIBRARY_PATH
将其清除。然后尝试重新应用程序。如果程序仍然无法运行,
您可用 execstack -s LIBRARY_PATH 命令重新为库加上
此标记。
�
$SOURCE 应用程序试图修改内存堆 (memory on the heap,
比如使用 malloc 分配的内存) 的访问保护。这是潜在的安全问题。
正常情况下应用程序不会有这样的行为,不过有时错误的代码也可能
会请求此权限。<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux 内存保护测试</a>页面介绍了删除此
请求的方法。如果 $SOURCE 不能正常工作,但又需要它运行,
则在此应用得到修正前可以配置 SELinux 临时允许此访问。
请针对此软件包上报 bug。
�
$SOURCE 应用程序试图读取需要文本重定位的 $TARGET_PATH。
这是潜在的安全问题。
多数程序库不需要这样做。有时候不正确编码的程序库会有这样的请求。
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux 内存保护测试</a>
页面说明如何移除这个请求。请你提交此bug。 在程序库修复前,您可暂时设置 SELinux 允许 $TARGET_PATH做文本重定向。�
该 $SOURCE 应用程序试图加载 $TARGET_PATH需要文本重定位。这是一个潜在的安全问题。大多数图书馆不需要此权限。该 <a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux内存保护测试</a>网页解释了这个检查。该工具检查了库,看起来它是正确构建的。因此,setroubleshoot无法确定此应用程序是否已被泄露。这可能是一个严重的问题。您的系统可能会受到损害。请与您的安全管理员联系并报告此问题。
�
$SOURCE 应用尝试将其栈变成可执行。 这是个潜在的安全问题。
此行为没有任何必要。在当今多数操作系统中,栈内存都是不可执行
的,并且在将来也不会有变化。栈内存可执行是最严重的安全问题
之一。而造成此问题的最可能原因就是恶意代码。有时不正确的应用
程序代码会请求此项权限。<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux 内存保护测试</a>解释了
如何移除此种请求。如果 $SOURCE 无法正常运行,但您需要让它
正常运行,那么在此应用程序修正之前,可临时配置 SELinux 以允许
此请求。欢迎提交 bug 报告。
�
使用命令 "cp -p" 保留 SELinux 外的所有 权限。
�
您可以通过执行chcon -R -t cvs_data_t'来更改文件上下文$TARGET_PATH'您还必须更改系统上的默认文件上下文文件,以便即使在完整的重新标记上也可以保留它们。 “semanage fcontext -a -t cvs_data_t'$FIX_TARGET_PATH'”
�
可通过执行 chcon -R -t rsync_data_t '$TARGET_PATH' 更改文件环境。
还必须修改系统的默认文件环境文件以便即使在完全重新标记后,仍能保留它们。"semanage fcontext -a -t rsync_data_t '$FIX_TARGET_PATH'"
�
可以通过执行 chcon -R -t samba_share_t '$TARGET_PATH' 更改文件上下文。
还必须修改系统默认文件环境文件以便即使在完全重新标记后,仍可以保留它们。"semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH'"
�
可以执行 executing chcon -t public_content_t '$TARGET_PATH' 更改文件上下文。
还必须在系统中更改默认文件上下文文件,以便在完全重新标记后保留它们。"semanage fcontext -a -t public_content_t '$FIX_TARGET_PATH'"
�
可以执行 executing chcon -t swapfile_t '$TARGET_PATH' 更改文件上下文。
还必须在系统中更改默认文件上下文文件以便在完全重新标记后保留它们。"semanage fcontext -a -t swapfile_t '$FIX_TARGET_PATH'"
�
可以执行 chcon -t virt_image_t '$TARGET_PATH' 来更改文件上下文。
还必须在系统中更改默认文件上下文文件以便在完全重新标记后保留它们。"semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'"
�
您可以执行 chcon -t xen_image_t '$TARGET_PATH' 来更改文件环境。
您还必须修改系统默认的文件环境文件以便即使在完全重新标记后,仍能保留它们。"semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH'"
�
可以作为 root 执行以下命令重新设置您计算机系统的标签:
"touch /.autorelabel; reboot"
�
可以创建本地策略模块,使用该模块允许这个
访问 - 请查看 <a href="http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385">常见问题</a>
请提交 bug 报告。
�
可创建本地策略模块来允许该
访问 - 请查看 <a href="http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385">常见问题</a>
�
您可以通过执行restorecon命令将缺省系统上下文还原到此文件。 #recoverycon -R /root/.ssh
�
您可以通过执行restorecon命令将缺省系统上下文还原到此文件。 #recoverycon -R /root/.ssh
�
可使用 resotrecon 命令
恢复该文件的默认文件环境。restorecon '$SOURCE_PATH'。
�
可以执行 restorecon 命令恢复此文件的默认系统环境。
restorecon '$TARGET_PATH',如果该文件是一个目录,
可以使用 restorecon -R '$TARGET_PATH' 进行递归恢复。
�
您的系统可能被严重入侵!
�
您的系统可能被严重破坏! $SOURCE_PATH 试图 mmap 低内核内存。
�
您的系统可能被严重破坏! $SOURCE_PATH试图装载一个内核模块。
�
那么您的系统可能被严重破坏!$SOURCE_PATH 曾尝试修改 SELinux enforcement.
�
系统可能被严重破坏! $SOURCE_PATH 试图修改内核配置。
�
正确禁用 IPV6。
�
可以执行 'yum remove mozplugger' 移除 mozplluger 软件包,
后者关闭 Firefox 插件的 SELinux 强制检查。
setsebool -P unconfined_mozilla_plugin_transition 0
�
可以执行 'yum remove mozplugger spice-xpi' 删除 mozplluger 软件包,或者关闭 Firefox 插件中的 SELinux 强制检查。
setsebool -P unconfined_mozilla_plugin_transition 0
�
可通过 'yum remove mozplugger' 移除 mozplluger 或者 spice-xpi 软件包,或者关闭 Chrome 插件的 SELinux 增强功能。
setsebool -P unconfined_chrome_sandbox_transition 0
�
如果决定继续运行有问题的程序,则必须允许此操作。可在命令行长执行以下命令达到此目的:
# setsebool -P mmap_low_allowed 1
�
SELinux 拒绝了一项由 $SOURCE 发起的操作,该程序用于更改
视频硬件的状态。该程序已知会在系统内存上进行不安全操作,
因此有很多恶意/溢出程序伪会装成 vbetool。该工具用于在系统
从挂起状态恢复时重设视频硬件的状态。如果系统无法正常
从挂起状态恢复,只能选择允许操作。此操作将降低系统针对
此类恶意程序的安全防御能力。
�
SELinux 阻止了一个由 wine-preloader 请求的操作,该程序用于
在 Linux 系统中运行 Windows 程序。已知此程序会在系统内存中
进行不安全操作,因此也有大量的恶意或利用程序伪装成 wine。
如果要运行 Windows 程序,那么唯一的选择就是允许此操作。
这将降低系统对恶意程序的安全防护。或者坚持不在 Linux 系统下
运行 Windows 程序。如果没有尝试运行 Windows 程序,这说明
您的系统很有可能已被某些恶意或试图利用您系统实现恶意目的程序
攻击。
请参考
http://wiki.winehq.org/PreloaderPageZeroProblem
该页面概述了因 wine 自身对内存的不安全使用而造成的其他问题
以及这些问题的解决办法。
�
开启完整审核
# auditctl -w /etc/shadow -p w
尝试重新生成 AVC。然后执行
# ausearch -m avc -ts recent
如果可看到 PATH 记录,检查文件的所有权及权限,然后修复。
否则需向 bugzila 提交报告。�
尝试在 %s 设定的类型不是文件类型。 这是不允许的,必须指定文件类型。 可以使用 seinfo 命令列出所有文件类型。
seinfo -afile_type -x
� 修改 "$BOOLEAN" 和
"$WRITE_BOOLEAN" 布尔值为“true”将允许这个访问:
"setsebool -P $BOOLEAN=1 $WRITE_BOOLEAN=1"。
警告:设置 "$WRITE_BOOLEAN"布尔值为“true”以后,除允许
ftp守护进程向 CIFS 文件系统上的文件和目录写入外,还将
允许其向所有的公共内容 (类型为 public_content_t 的文件和目录) 写入。 � 将“allow_ftpd_use_nfs”和“ftpd_anon_write”布尔值更改为true将允许此访问:“setsebool -P allow_ftpd_use_nfs = 1 ftpd_anon_write = 1”。警告:将“ftpd_anon_write”布尔值设置为true将允许ftp守护程序除了写入NFS文件系统上的文件和目录外,还可以写入所有公共内容(类型为public_content_t的文件和目录)。 �# ausearch -x $SOURCE_PATH --raw | audit2allow -D -M my-$SOURCE
# semodule -X 300 -i my-$SOURCE.PP�# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
其中 FILE_TYPE 为以下内容之一:%s。
然后执行:
restorecon -v '$FIX_TARGET_PATH'
�# semanage fcontext -a -t SIMILAR_TYPE '$FIX_TARGET_PATH'
# restorecon -v '$FIX_TARGET_PATH'�# semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH%s'
# restorecon %s -v '$FIX_TARGET_PATH'�# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'
# restorecon -v '$FIX_TARGET_PATH'�# semanage port -a -t %s -p %s $PORT_NUMBER�# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER
其中 PORT_TYPE 是以下之一:%s。�应该是某个进程正在尝试入侵您的系统。�在
/etc/sysctl.conf 中
添加 net.ipv6.conf.all.disable_ipv6 = 1
�暂时允许此访问权限执行:
# ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME
# semodule -X 300 -i my-$MODULE_NAME.pp�更改文件上下文。�更改标签�更改库上的标签。�将文件标签更改 为xen_image_t。�联络安全管理员并报告此问题。�禁用Chrome插件上的SELinux控件�启用布尔值�启用布尔值。�如果 $TARGET_BASE_PATH是一个虚拟化目标�如果 $TARGET_BASE_PATH应该通过RSYNC守护进程共享�如果 $TARGET_BASE_PATH应该通过cvs守护进程共享�如果你相信 $SOURCE应该允许_BASE_PATH创建 $TARGET_BASE_PATH文件�如果你相信 $SOURCE_PATH试图禁用SELinux。�如果你相信%s不应该要求execstack�如果你相信 $SOURCE应该允许_BASE_PATH $ACCESS 访问 $TARGET_CLASS标记 $TARGET默认为_TYPE。�如果你相信 $SOURCE应该允许_BASE_PATH $ACCESS 访问标记的进程 $TARGET默认为_TYPE。�如果你相信 $SOURCE应该允许_BASE_PATH $ACCESS 访问 $TARGET_BASE_PATH $TARGET_CLASS默认情况下。�如果你相信 $SOURCE_BASE_PATH应该有 $ACCESS 默认情况下的功能。�如果你没有通过测试直接导致这个AVC。�如果你不相信 $SOURCE_PATH应该尝试通过加载内核模块来修改内核。�如果你不相信你的 $SOURCE_PATH应该通过加载内核模块来修改内核�如果你不思考 $SOURCE_BASE_PATH应该试试 $ACCESS 访问 $TARGET_BASE_PATH。�如果你不思考 $SOURCE_PATH应该映射既可写又可执行的堆内存。�如果你不思考 $SOURCE_PATH应该需要映射既可写又可执行的堆栈内存。�如果你不思考 $SOURCE_PATH应该在内核中mmap低内存。�如果您不希望进程要求使用系统上所有系统资源的功能;�如果您认为这是由错误贴错标签的机器引起的。�如果你想 %s�如果你想允许 $SOURCE_BASE_PATH要挂载 $TARGET_BASE_PATH。�如果您想要允许 $SOURCE_PATH 拥有向共享公用内容写入的权限�如果你想允许 $SOURCE_PATH绑定到网络端口 $PORT_数�如果你想允许 $SOURCE_PATH连接到网络端口 $PORT_数�如果要允许ftpd写入cifs文件系统�如果要允许ftpd写入nfs文件系统�如果要允许httpd执行cgi脚本并统一所有内容文件的HTTPD处理。�如果要允许httpd发送邮件�如果你想改变标签 $TARGET_PATH来 %s, ,您不被允许,因为它不是有效的文件类型。�如果要在此计算机上禁用IPV6�如果要修复标签。$SOURCE_PATH默认标签应该是 %s。�如果要修复标签。$TARGET_PATH默认标签应该是 %s。�如果您想帮助确定域是否需要此访问权限,或者您的系统上的文件具有错误的权限�如果你想忽略 $SOURCE_BASE_PATH试图 $ACCESS 访问 $TARGET_BASE_PATH $TARGET_CLASS,因为您认为它不应该需要此访问权限。�如果你想忽略这个AVC,因为它很危险,你的机器似乎正常工作。�如果你想忽略这个AVC,因为它是危险的,你的葡萄酒应用程序正常工作。�如果要修改标签 $TARGET_BASE_PATH这样 $SOURCE_BASE_PATH可以有 $ACCESS 访问它�如果你想要mv $TARGET_BASE_PATH到标准位置 $SOURCE_BASE_PATH可以有 $ACCESS 访问�如果你想继续使用SELinux Firefox插件包含而不是使用mozplugger包�如果你想要治疗 $TARGET_BASE_PATH作为公共内容�如果你想使用 %s 包�重新标记整个文件系统。包括重启!�Restore
Context�恢复上下文�SELinux 防止 $SOURCE_PATH "$ACCESS" 访问。�将镜像标签设置为 virt_image_t。�这是由新创建的文件系统引起的。�尝试固定标签。�关闭内存保护�可以阅读 '%s' 手册页面来了解详情。�您肯定被攻击了。�必须启用 '%s' 布尔值告知 SELinux 此情况。
�必须更改 $FIX_TARGET_PATH 中的标签�需要修改 $TARGET_BASE_PATH 的标记�则需要在 $TARGET_BASE_PATH 将标签改为 public_content_t 或 public_content_rw_t。�需要更改 $TARGET_BASE_PATH' 中的标签�需要将 $TARGET_PATH 的标签改为类似设备类型。�需要更改 '$FIX_TARGET_PATH' 中的标记�应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。�应该将此问题作为 bug 报告提交。
可创建本地策略模块来要求不审核此访问。�execstack -c %s�如果您认为已被攻击,�setsebool -P %s %s�打开全面审核以获得有关违规文件路径信息并再次生成该错误。�使用类似 "cp -p" 的命令保留 SELinux 上下文之外的所有权限。�可以运行 restorecon。�你可以运行restorecon。由于访问父目录的权限不足,可能已停止访问尝试,在这种情况下尝试相应地更改以下命令。�可能受到黑客攻击,因为限定程序从不需要这个访问。�可能受到黑客攻击,因为受限应用程序不需要此访问。�您可能受到黑客攻击,这是一个非常危险的访问。�则必须在 $TARGET_PATH 中更改标记。�则必须改正这个标签。�则必须将证书文件移动到 ~/.cert 目录中�必须挑选有效文件标记。�则必须删除 mozplugger 软件包。�则必须将 SELinux 设定为允许这个�必须告知 SELinux 这一情况�您必须通过将 'httpd_unified' 和 'http_enable_cgi' 布尔值设为“true”来告知 SELinux 此情况�则必须启用 vbetool_mmap_zero_ignore 布尔告知 SELinux 这个情况。�则必须通过启用 wine_mmap_zero_ignore 告知 SELinux 这个情况。�则必须关闭 SELinux 对于 Chrome 插件的控制。�必须关闭 SELinux 对于 FIrefox 插件的控制。�您需要在其中添加标签。�您需要将 $TARGET_PATH 的标记改为 public_content_rw_t,可能还要再打开 allow_httpd_sys_script_anon_write 布尔值。�您需要诊断系统资源耗尽的原因并解决问题。根据/usr/include/linux/capability.h,sys_resource需要:/ *覆盖资源限制。设置资源限制。 * / / *覆盖配额限制。 * / / *覆盖ext2文件系统上的保留空间* / / *修改ext3文件系统上的数据日志记录模式(使用日志资源)* / / *注意:ext2在检查资源覆盖时尊重fsuid,因此你也可以使用fsuid覆盖* / / *覆盖IPC消息队列的大小限制* / / *允许来自实时时钟的超过64hz中断* / / *覆盖控制台分配上的最大控制台数* / / *覆盖最大键映射数* /
�需要全部重新标记。�需要修改沙盒类型。sandbox_web_t 或 sandbox_net_t。
例如:
sandbox -X -t sandbox_net_t $SOURCE_PATH
详细信息请阅读 sandbox man 手册页。
�需要报告这个 bug。
这可能是个潜在的危险访问。�应该报告 bug。此访问可能有危险。�则需要将 /proc/sys/net/ipv6/conf/all/disable_ipv6 设定为 1,且不要将该模块放入黑名单�需要使用不同命令。不允许在目标文件系统中保留 SELinux 上下文。�应该清除 execstack 标记,然后看 $SOURCE_PATH 是否可以正常工作。
将其作为 %s 中的 bug 报告。
可以执行以下命令清除 execstack 标记:�
Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists