Sindbad~EG File Manager
��������������������%����
������P�������Q���1���>���:���p�����������V�������g��� ���h���q���|�������(���W���E���������������
���e���R���s �������!��t���`"��I����"��~����$�������$��,���\%�� ����&�������'��m����(�������+�������+��/���~,�������-�������/��.����1��b����3������K5������c6�������7�������:������2<�������=�������?��7���/A������gC�������D��T����E������9G�������H�������J��S���JL��P����L�������L��N����O��N���OO��U����O��G����O��]���<P��O����P��k����P��R���VQ��q����Q��f����R��V����R��F����R��K��� S��V���lS��S����S��j����T��B����T��T����T��^����U������yU������;V��t����W������;X��Z����Y��?���5]��Z���u]�������]��Y����`��U����`��6���3c������jd��C����f������=i��#����k��X����n��
���;o������Ip������Zq������mr�� ����s��
����t�������u��z����v������"w�������w������wx�������y�������y�������z��3����z��e���0{��_����{��e����{��f���\|�������|�������|�������}������y~������Q������
���I���܁������&���������������dž������K���b����������H���\���܊��b���9���\�������+�������c���%���7�������<���������������������������������������:���̍��*�����������2�������B���/���S���:�������8�������T�������5���L���4�������x�������t���0���y�������T�������7���t���m�������a�������U���|���e���Ғ��f���8���N�������g������:���V�����������E�������N������F���8���I������7���ɕ��6�������c���8���'�������p���Ė��+���5���G���a���G�������u����������g���f�������h���h���l���љ��j���>���h�������8�������!���K�������m�������}���4�������.������������,�����������9���?���U���0�������1���Ɯ��]�������2���V���K�������2���՝��]�������c���f�������ʞ��,���ڞ����������d�������N����������Ο���������_�������]�������E���a���-�����������ա��4������!���#���'���E���$���m��� �������_�������R�������O���f���9�������:����������+�������I�������դ������������������B���a���A�������^������s���E���������������P�������"���
������M����������;���V������m���K���p�����������*���(�������^���۵������:�������ܷ��h���������6���v���ݻ��=���T�������������������,���Ǿ���������"�������^���2���������������>���������������������������N�������h�������6���C�������z�����������~�������]���Y�����������z���{���
�������w�����������|���L���y���������������V�����������N�������K�������#���B���K���f���K�������R�������K���Q���a�������K�������X���K���H�������g�������W���U���J�������C�������D���<���S�������Q�������Z���'���<�������E�������K�����������Q�����������z���������������'�������?�������Y���P�����������X������y������*���R���\���}����������I�������#���8���l���\�������������������
������������ �������
������������������{����
������q�������5���{�������}���Q���g�����������7���4�������n���Q���b�������g���#���b������������������� �������������������������������T���R���M�����������������������Q�����������b���|!�������!��\���l"��b����"��\���,#��+����#��X����#��*����$��B���9$������|$�������%�������%������+%��6���D%��/���{%�������%�������%��+����%��>����%��9���3&��J���m&��4����&��&����&��{����'��c����'��m����'��@���b(��.����(��Y����(��V���,)��V����)��S����)��S���.*��M����*��N����*��9����+������Y+��J���i+��;����+��B����+��B���3,��0���v,��/����,��^����,��%���6-��w���\-��#����-��D����-��G���=.��f����.�������.��b���{/��_����/��e���>0��_����0��\����1��4���a1�������1��
����1�������1��5����1��'����2������/2��8���E2������~2��5����2��-����2��.����2��c���*3��/����3��G����3��/����4��R���64��b����4�������4��!����4�������5��Z���15��_����5�������5������
6��f����6��`����7��B���h7��,����7�������7��-����7��'����8��'���G8��'���o8�������8��f����8��\����9��V���s9��;����9��<����:������C:��~���b:�������:������b=�������=��A���+>��3���m>��h����>��`���
?������k?����������������������Y���1�����������"�������#���m���������������}�����������3�������c�����������[���-�������������������0���|�������u�������������������F���z���������������V�����������j�����������9�����������������������������������4���e���
���o���������������r���\���w���C���������������/�����������������������k���!���M�������;�������2���B���&���������������d���������������������������t���W�������������������y�������:���������������L�����������a���_���*�����������P�������5�����������������������������������N�������(���f�������U�������������������K�������$���`�����������R�����������H���Q���������������������������=���)�������������������D���������������������������%���O�������,�����������A���������������T����������{�������l�����������������������i�������I���������������J�����������S�������.�������������������n���������������7���~���x��� �����������8�������E���+���s���g���^���������������Z�����������������������������������������������@���������������6�������������������X���������������������������������������h���G���������������?�����������������������
���'���q����������� ���������������<�������b���������������]�����������������������>���v�����������p����
dac_override and dac_read_search capabilities usually indicates that the root process does not have access to a file based on the permission flags. This usually mean you have some file with the wrong ownership/permissions on it.
�
SELinux denied access requested by $SOURCE. It is not
expected that this access is required by $SOURCE and this access
may signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require
additional access.
�
SELinux denied access requested by $SOURCE. The current boolean
settings do not allow this access. If you have not setup $SOURCE to
require this access this may signal an intrusion attempt. If you do intend
this access you need to change the booleans on this system to allow
the access.
�
SELinux has denied $SOURCE "$ACCESS" access to device $TARGET_PATH.
$TARGET_PATH is mislabeled, this device has the default label of the /dev directory, which should not
happen. All Character and/or Block Devices should have a label.
You can attempt to change the label of the file using
restorecon -v '$TARGET_PATH'.
If this device remains labeled device_t, then this is a bug in SELinux policy.
Please file a bug report.
If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for $TARGET_PATH,
you can use chcon -t SIMILAR_TYPE '$TARGET_PATH', If this fixes the problem, you can make this permanent by executing
semanage fcontext -a -t SIMILAR_TYPE '$FIX_TARGET_PATH'
If the restorecon changes the context, this indicates that the application that created the device, created it without
using SELinux APIs. If you can figure out which application created the device, please file a bug report against this application.
�
Attempt restorecon -v '$TARGET_PATH' or chcon -t SIMILAR_TYPE '$TARGET_PATH'
�
Changing the "$BOOLEAN" boolean to true will allow this access:
"setsebool -P $BOOLEAN=1"
�
Changing the "$BOOLEAN" boolean to true will allow this access:
"setsebool -P $BOOLEAN=1."
�
Changing the "allow_ftpd_use_nfs" boolean to true will allow this access:
"setsebool -P allow_ftpd_use_nfs=1."
�
Changing the file_context to mnt_t will allow mount to mount the file system:
"chcon -t mnt_t '$TARGET_PATH'."
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t mnt_t '$FIX_TARGET_PATH'"
�
Confined domains should not require "sys_resource". This usually means that your system is running out some system resource like disk space, memory, quota etc. Please clear up the disk and this
AVC message should go away. If this AVC continues after you clear up the disk space, please report this as a bug.
�
Confined processes can be configured to run requiring different access, SELinux provides booleans to allow you to turn on/off
access as needed.
�
If httpd scripts should be allowed to write to public directories you need to turn on the $BOOLEAN boolean and change the file context of the public directory to public_content_rw_t. Read the httpd_selinux
man page for further information:
"setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>"
You must also change the default file context labeling files on the system in order to preserve public directory labeling even on a full relabel. "semanage fcontext -a -t public_content_rw_t <path>"
�
If you trust $TARGET_PATH to run correctly, you can change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'$TARGET_PATH'"
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH'"
�
If you want $SOURCE to continue, you must turn on the
$BOOLEAN boolean. Note: This boolean will affect all applications
on the system.
�
If you want httpd to send mail you need to turn on the
$BOOLEAN boolean: "setsebool -P
$BOOLEAN=1"
�
If you want to allow $SOURCE to bind to port $PORT_NUMBER, you can execute
# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER
where PORT_TYPE is one of the following: %s.
If this system is running as an NIS Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P allow_ypbind=1.
�
If you want to allow $SOURCE to connect to $PORT_NUMBER, you can execute
# sandbox -X -t sandbox_net_t $SOURCE
�
If you want to allow $SOURCE to connect to $PORT_NUMBER, you can execute
# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER
where PORT_TYPE is one of the following: %s.
�
If you want to change the file context of $TARGET_PATH so that the automounter can execute it you can execute "chcon -t bin_t $TARGET_PATH". If you want this to survive a relabel, you need to permanently change the file context: execute "semanage fcontext -a -t bin_t '$FIX_TARGET_PATH'".
�
SELinux denied $SOURCE access to $TARGET_PATH.
If this is a swapfile, it has to have a file context label of
swapfile_t. If you did not intend to use
$TARGET_PATH as a swapfile, this message could indicate either a bug or an intrusion attempt.
�
SELinux denied RSYNC access to $TARGET_PATH.
If this is an RSYNC repository, it has to have a file context label of
rsync_data_t. If you did not intend to use $TARGET_PATH as an RSYNC repository,
this message could indicate either a bug or an intrusion attempt.
�
SELinux denied access requested by $SOURCE. $SOURCE_PATH may
be mislabeled. $SOURCE_PATH default SELinux type is
<B>%s</B>, but its current type is <B>$SOURCE_TYPE</B>. Changing
this file back to the default type may fix your problem.
<p>
This file could have been mislabeled either by user error, or if an normally confined application
was run under the wrong domain.
<p>
However, this might also indicate a bug in SELinux because the file should not have been labeled
with this type.
<p>
If you believe this is a bug, please file a bug report against this package.
�
SELinux denied access requested by $SOURCE. $TARGET_PATH may
be mislabeled. openvpn is allowed to read content in home directory if it
is labeled correctly.
�
SELinux denied access requested by $SOURCE. $TARGET_PATH may
be mislabeled. sshd is allowed to read content in /root/.ssh directory if it
is labeled correctly.
�
SELinux denied access requested by $SOURCE. It is not
expected that this access is required by $SOURCE and this access
may signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require
additional access.
�
SELinux denied access requested by $SOURCE. It is not expected that this access is required by $SOURCE and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. mozplugger and spice-xpi run applications within mozilla-plugins that require access to the desktop, that the mozilla_plugin lockdown will not allow, so either you need to turn off the mozilla_plugin lockdown or not use these packages.
�
SELinux denied access requested by $SOURCE. It is not expected that this access is required by $SOURCE and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. spice-xpi run applications within mozilla-plugins that require access to the desktop, that the mozilla_plugin lockdown will not allow, so either you need to turn off the mozilla_plugin lockdown or not use these packages.
�
SELinux denied access requested by the $SOURCE command. It looks like this is either a leaked descriptor or $SOURCE output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the $TARGET_PATH. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc.
�
SELinux denied access to $TARGET_PATH requested by $SOURCE.
$TARGET_PATH has a context used for sharing by a different program. If you
would like to share $TARGET_PATH from $SOURCE also, you need to
change its file context to public_content_t. If you did not intend to
allow this access, this could signal an intrusion attempt.
�
SELinux denied cvs access to $TARGET_PATH.
If this is a CVS repository it needs to have a file context label of
cvs_data_t. If you did not intend to use $TARGET_PATH as a CVS repository
it could indicate either a bug or it could signal an intrusion attempt.
�
SELinux denied samba access to $TARGET_PATH.
If you want to share this directory with samba it has to have a file context label of
samba_share_t. If you did not intend to use $TARGET_PATH as a samba repository,
this message could indicate either a bug or an intrusion attempt.
Please refer to 'man samba_selinux' for more information on setting up Samba and SELinux.
�
SELinux denied xen access to $TARGET_PATH.
If this is a XEN image, it has to have a file context label of
xen_image_t. The system is setup to label image files in directory /var/lib/xen/images
correctly. We recommend that you copy your image file to /var/lib/xen/images.
If you really want to have your xen image files in the current directory, you can relabel $TARGET_PATH to be xen_image_t using chcon. You also need to execute semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH' to add this
new path to the system defaults. If you did not intend to use $TARGET_PATH as a xen
image it could indicate either a bug or an intrusion attempt.
�
SELinux has denied $SOURCE from connecting to a network port $PORT_NUMBER which does not have an SELinux type associated with it.
If $SOURCE should be allowed to connect on $PORT_NUMBER, use the <i>semanage</i> command to assign $PORT_NUMBER to a port type that $SOURCE_TYPE can connect to (%s).
If $SOURCE is not supposed
to connect to $PORT_NUMBER, this could signal an intrusion attempt.
�
SELinux has denied $SOURCE from connecting to a network port $PORT_NUMBER within a sandbox.
If $SOURCE should be allowed to connect on $PORT_NUMBER, you need to use a different sandbox type like sandbox_web_t or sandbox_net_t.
# sandbox -X -t sandbox_net_t $SOURCE
If $SOURCE is not supposed
to connect to $PORT_NUMBER, this could signal an intrusion attempt.
�
SELinux has denied the $SOURCE access to potentially
mislabeled files $TARGET_PATH. This means that SELinux will not
allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, %s.
Many third party apps install html files
in directories that SELinux policy cannot predict. These directories
have to be labeled with a file context which httpd can access.
�
SELinux has denied the $SOURCE from binding to a network port $PORT_NUMBER which does not have an SELinux type associated with it.
If $SOURCE should be allowed to listen on $PORT_NUMBER, use the <i>semanage</i> command to assign $PORT_NUMBER to a port type that $SOURCE_TYPE can bind to (%s).
If $SOURCE is not supposed
to bind to $PORT_NUMBER, this could signal an intrusion attempt.
�
SELinux has denied the $SOURCE the ability to mmap low area of the kernel
address space. The ability to mmap a low area of the address space is
configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings
helps protect against exploiting null deref bugs in the kernel. All
applications that need this access should have already had policy written
for them. If a compromised application tries to modify the kernel, this AVC
would be generated. This is a serious issue. Your system may very well be
compromised.
�
SELinux has denied the $SOURCE_PATH from executing potentially
mislabeled files $TARGET_PATH. Automounter can be setup to execute
configuration files. If $TARGET_PATH is an automount executable
configuration file it needs to have a file label of bin_t.
If automounter is trying to execute something that it is not supposed to, this could indicate an intrusion attempt.
�
SELinux has denied the http daemon from sending mail. An
httpd script is trying to connect to a mail port or execute the
sendmail command. If you did not setup httpd to sendmail, this could
signal an intrusion attempt.
�
SELinux has prevented $SOURCE from loading a kernel module.
All confined programs that need to load kernel modules should have already had policy
written for them. If a compromised application
tries to modify the kernel this AVC will be generated. This is a serious
issue. Your system may very well be compromised.
�
SELinux has prevented $SOURCE from modifying $TARGET. This denial
indicates $SOURCE was trying to modify the selinux policy configuration.
All applications that need this access should have already had policy
written for them. If a compromised application tries to modify the SELinux
policy this AVC will be generated. This is a serious issue. Your system
may very well be compromised.
�
SELinux has prevented $SOURCE from modifying $TARGET. This denial
indicates $SOURCE was trying to modify the way the kernel runs or to
actually insert code into the kernel. All applications that need this
access should have already had policy written for them. If a compromised
application tries to modify the kernel this AVC will be generated. This is a
serious issue. Your system may very well be compromised.
�
SELinux has prevented $SOURCE from writing to a file under /sys/fs/selinux.
Files under /sys/fs/selinux control the way SELinux is configured.
All programs that need to write to files under /sys/fs/selinux should have already had policy
written for them. If a compromised application tries to turn off SELinux
this AVC will be generated. This is a serious issue. Your system may very
well be compromised.
�
SELinux has prevented vbetool from performing an unsafe memory operation.
�
SELinux has prevented wine from performing an unsafe memory operation.
�
SELinux is preventing $SOURCE from creating a file with a context of $SOURCE_TYPE on a filesystem.
Usually this happens when you ask the cp command to maintain the context of a file when
copying between file systems, "cp -a" for example. Not all file contexts should be maintained
between the file systems. For example, a read-only file type like iso9660_t should not be placed
on a r/w system. "cp -p" might be a better solution, as this will adopt the default file context
for the destination.
�
SELinux is preventing $SOURCE_PATH "$ACCESS" access on $TARGET_PATH.
�
SELinux is preventing $SOURCE_PATH "$ACCESS" access to $TARGET_PATH.
�
SELinux is preventing $SOURCE_PATH "$ACCESS" access to device $TARGET_PATH.
�
SELinux is preventing $SOURCE_PATH "$ACCESS" to $TARGET_PATH.
�
SELinux is preventing $SOURCE_PATH access to a leaked $TARGET_PATH file descriptor.
�
SELinux is preventing $SOURCE_PATH from binding to port $PORT_NUMBER.
�
SELinux is preventing $SOURCE_PATH from changing the access
protection of memory on the heap.
�
SELinux is preventing $SOURCE_PATH from connecting to port $PORT_NUMBER.
�
SELinux is preventing $SOURCE_PATH from creating a file with a context of $SOURCE_TYPE on a filesystem.
�
SELinux is preventing $SOURCE_PATH from loading $TARGET_PATH which requires text relocation.
�
SELinux is preventing $SOURCE_PATH from making the program stack executable.
�
SELinux is preventing $SOURCE_PATH the "$ACCESS" capability.
�
SELinux is preventing $SOURCE_PATH the "sys_resource" capability.
�
SELinux is preventing Samba ($SOURCE_PATH) "$ACCESS" access to $TARGET_PATH.
�
SELinux is preventing cvs ($SOURCE_PATH) "$ACCESS" access to $TARGET_PATH
�
SELinux is preventing the $SOURCE_PATH from executing potentially mislabeled files $TARGET_PATH.
�
SELinux is preventing the http daemon from sending mail.
�
SELinux is preventing xen ($SOURCE_PATH) "$ACCESS" access to $TARGET_PATH.
�
SELinux policy is preventing an httpd script from writing to a public
directory.
�
SELinux policy is preventing an httpd script from writing to a public
directory. If httpd is not setup to write to public directories, this
could signal an intrusion attempt.
�
SELinux prevented $SOURCE from mounting a filesystem on the file
or directory "$TARGET_PATH" of type "$TARGET_TYPE". By default
SELinux limits the mounting of filesystems to only some files or
directories (those with types that have the mountpoint attribute). The
type "$TARGET_TYPE" does not have this attribute. You can change the
label of the file or directory.
�
SELinux prevented $SOURCE from mounting on the file or directory
"$TARGET_PATH" (type "$TARGET_TYPE").
�
SELinux prevented httpd $ACCESS access to $TARGET_PATH.
httpd scripts are not allowed to write to content without explicit
labeling of all files. If $TARGET_PATH is writable content. it needs
to be labeled httpd_sys_rw_content_t or if all you need is append you can label it httpd_sys_ra_content_t. Please refer to 'man httpd_selinux' for more information on setting up httpd and selinux.
�
SELinux prevented httpd $ACCESS access to http files.
Ordinarily httpd is allowed full access to all files labeled with http file
context. This machine has a tightened security policy with the $BOOLEAN
turned off, this requires explicit labeling of all files. If a file is
a cgi script it needs to be labeled with httpd_TYPE_script_exec_t in order
to be executed. If it is read only content, it needs to be labeled
httpd_TYPE_content_t. If it is writable content, it needs to be labeled
httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the
chcon command to change these context. Please refer to the man page
"man httpd_selinux" or
<a href="http://fedora.redhat.com/docs/selinux-apache-fc3">FAQ</a>
"TYPE" refers to one of "sys", "user" or "staff" or potentially other
script types.
�
SELinux prevented httpd $ACCESS access to http files.
�
SELinux prevented the ftp daemon from $ACCESS files stored on a CIFS filesystem.
�
SELinux prevented the ftp daemon from $ACCESS files stored on a CIFS filesystem.
CIFS (Comment Internet File System) is a network filesystem similar to
SMB (<a href="http://www.microsoft.com/mind/1196/cifs.asp">http://www.microsoft.com/mind/1196/cifs.asp</a>)
The ftp daemon attempted to read one or more files or directories from
a mounted filesystem of this type. As CIFS filesystems do not support
fine-grained SELinux labeling, all files and directories in the
filesystem will have the same security context.
If you have not configured the ftp daemon to read files from a CIFS filesystem
this access attempt could signal an intrusion attempt.
�
SELinux prevented the ftp daemon from $ACCESS files stored on a NFS filesystem.
�
SELinux prevented the ftp daemon from $ACCESS files stored on a NFS filesystem.
NFS (Network Filesystem) is a network filesystem commonly used on Unix / Linux
systems.
The ftp daemon attempted to read one or more files or directories from
a mounted filesystem of this type. As NFS filesystems do not support
fine-grained SELinux labeling, all files and directories in the
filesystem will have the same security context.
If you have not configured the ftp daemon to read files from a NFS filesystem
this access attempt could signal an intrusion attempt.
�
Sometimes a library is accidentally marked with the execstack flag,
if you find a library with this flag you can clear it with the
execstack -c LIBRARY_PATH. Then retry your application. If the
app continues to not work, you can turn the flag back on with
execstack -s LIBRARY_PATH.
�
The $SOURCE application attempted to change the access protection of memory on
the heap (e.g., allocated using malloc). This is a potential security
problem. Applications should not be doing this. Applications are
sometimes coded incorrectly and request this permission. The
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux Memory Protection Tests</a>
web page explains how to remove this requirement. If $SOURCE does not work and
you need it to work, you can configure SELinux temporarily to allow
this access until the application is fixed. Please file a bug
report against this package.
�
The $SOURCE application attempted to load $TARGET_PATH which
requires text relocation. This is a potential security problem.
Most libraries do not need this permission. Libraries are
sometimes coded incorrectly and request this permission. The
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux Memory Protection Tests</a>
web page explains how to remove this requirement. You can configure
SELinux temporarily to allow $TARGET_PATH to use relocation as a
workaround, until the library is fixed. Please file a bug report.
�
The $SOURCE application attempted to load $TARGET_PATH which
requires text relocation. This is a potential security problem.
Most libraries should not need this permission. The
<a href="http://people.redhat.com/drepper/selinux-mem.html">
SELinux Memory Protection Tests</a>
web page explains this check. This tool examined the library and it looks
like it was built correctly. So setroubleshoot can not determine if this
application is compromised or not. This could be a serious issue. Your
system may very well be compromised.
Contact your security administrator and report this issue.
�
The $SOURCE application attempted to make its stack
executable. This is a potential security problem. This should
never ever be necessary. Stack memory is not executable on most
OSes these days and this will not change. Executable stack memory
is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are
sometimes coded incorrectly and request this permission. The
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux Memory Protection Tests</a>
web page explains how to remove this requirement. If $SOURCE does not
work and you need it to work, you can configure SELinux
temporarily to allow this access until the application is fixed. Please
file a bug report.
�
Use a command like "cp -p" to preserve all permissions except SELinux context.
�
You can alter the file context by executing chcon -R -t cvs_data_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t cvs_data_t '$FIX_TARGET_PATH'"
�
You can alter the file context by executing chcon -R -t rsync_data_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t rsync_data_t '$FIX_TARGET_PATH'"
�
You can alter the file context by executing chcon -R -t samba_share_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH'"
�
You can alter the file context by executing chcon -t public_content_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t public_content_t '$FIX_TARGET_PATH'"
�
You can alter the file context by executing chcon -t swapfile_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t swapfile_t '$FIX_TARGET_PATH'"
�
You can alter the file context by executing chcon -t virt_image_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'"
�
You can alter the file context by executing chcon -t xen_image_t '$TARGET_PATH'
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH'"
�
You can execute the following command as root to relabel your
computer system: "touch /.autorelabel; reboot"
�
You can generate a local policy module to allow this
access - see <a href="http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385">FAQ</a>
Please file a bug report.
�
You can generate a local policy module to allow this
access - see <a href="http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385">FAQ</a>
�
You can restore the default system context to this file by executing the
restorecon command.
# restorecon -R /root/.ssh
�
You can restore the default system context to this file by executing the
restorecon command.
# restorecon -R /root/.ssh
�
You can restore the default system context to this file by executing the
restorecon command. restorecon '$SOURCE_PATH'.
�
You can restore the default system context to this file by executing the
restorecon command. restorecon '$TARGET_PATH', if this file is a directory,
you can recursively restore using restorecon -R '$TARGET_PATH'.
�
Your system may be seriously compromised!
�
Your system may be seriously compromised! $SOURCE_PATH attempted to mmap low kernel memory.
�
Your system may be seriously compromised! $SOURCE_PATH tried to load a kernel module.
�
Your system may be seriously compromised! $SOURCE_PATH tried to modify SELinux enforcement.
�
Your system may be seriously compromised! $SOURCE_PATH tried to modify kernel configuration.
�
Disable IPV6 properly.
�
Either remove the mozplluger package by executing 'yum remove mozplugger'
Or turn off enforcement of SELinux over the Firefox plugins.
setsebool -P unconfined_mozilla_plugin_transition 0
�
Either remove the mozplugger or spice-xpi package by executing 'yum remove mozplugger spice-xpi' or turn off enforcement of SELinux over the Firefox plugins. setsebool -P unconfined_mozilla_plugin_transition 0
�
Either remove the mozplugger or spice-xpi package by executing 'yum remove mozplugger spice-xpi', or turn off enforcement of SELinux over the Chrome plugins. setsebool -P unconfined_chrome_sandbox_transition 0
�
If you decide to continue to run the program in question you will need
to allow this operation. This can be done on the command line by
executing:
# setsebool -P mmap_low_allowed 1
�
SELinux denied an operation requested by $SOURCE, a program used
to alter video hardware state. This program is known to use
an unsafe operation on system memory but so are a number of
malware/exploit programs which masquerade as vbetool. This tool is used to
reset video state when a machine resumes from a suspend. If your machine
is not resuming properly your only choice is to allow this
operation and reduce your system security against such malware.
�
SELinux denied an operation requested by wine-preloader, a program used
to run Windows applications under Linux. This program is known to use
an unsafe operation on system memory but so are a number of
malware/exploit programs which masquerade as wine. If you were
attempting to run a Windows program your only choices are to allow this
operation and reduce your system security against such malware or to
refrain from running Windows applications under Linux. If you were not
attempting to run a Windows application this indicates you are likely
being attacked by some for of malware or program trying to exploit your
system for nefarious purposes.
Please refer to
http://wiki.winehq.org/PreloaderPageZeroProblem
Which outlines the other problems wine encounters due to its unsafe use
of memory and solutions to those problems.
�
Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.�
You tried to place a type on a %s that is not a file type. This is not allowed, you must assigne a file type. You can list all file types using the seinfo command.
seinfo -afile_type -x
� Changing the "$BOOLEAN" and
"$WRITE_BOOLEAN" booleans to true will allow this access:
"setsebool -P $BOOLEAN=1 $WRITE_BOOLEAN=1".
warning: setting the "$WRITE_BOOLEAN" boolean to true will
allow the ftp daemon to write to all public content (files and
directories with type public_content_t) in addition to writing to
files and directories on CIFS filesystems. � Changing the "allow_ftpd_use_nfs" and
"ftpd_anon_write" booleans to true will allow this access:
"setsebool -P allow_ftpd_use_nfs=1 ftpd_anon_write=1".
warning: setting the "ftpd_anon_write" boolean to true will
allow the ftp daemon to write to all public content (files and
directories with type public_content_t) in addition to writing to
files and directories on NFS filesystems. �# ausearch -x $SOURCE_PATH --raw | audit2allow -D -M my-$SOURCE
# semodule -X 300 -i my-$SOURCE.pp�# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
where FILE_TYPE is one of the following: %s.
Then execute:
restorecon -v '$FIX_TARGET_PATH'
�# semanage fcontext -a -t SIMILAR_TYPE '$FIX_TARGET_PATH'
# restorecon -v '$FIX_TARGET_PATH'�# semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH%s'
# restorecon %s -v '$FIX_TARGET_PATH'�# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'
# restorecon -v '$FIX_TARGET_PATH'�# semanage port -a -t %s -p %s $PORT_NUMBER�# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER
where PORT_TYPE is one of the following: %s.�A process might be attempting to hack into your system.�Add
net.ipv6.conf.all.disable_ipv6 = 1
to /etc/sysctl.conf
�Allow this access for now by executing:
# ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME
# semodule -X 300 -i my-$MODULE_NAME.pp�Change file context.�Change label�Change label on the library.�Contact your security administrator and report this issue.�Disable SELinux controls on Chrome plugins�Enable booleans�Enable booleans.�If $TARGET_BASE_PATH is a virtualization target�If $TARGET_BASE_PATH should be shared via the RSYNC daemon�If $TARGET_BASE_PATH should be shared via the cvs daemon�If you believe $SOURCE_BASE_PATH should be allowed to create $TARGET_BASE_PATH files�If you believe $SOURCE_PATH tried to disable SELinux.�If you believe that
%s
should not require execstack�If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on $TARGET_CLASS labeled $TARGET_TYPE by default.�If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on processes labeled $TARGET_TYPE by default.�If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on the $TARGET_BASE_PATH $TARGET_CLASS by default.�If you believe that $SOURCE_BASE_PATH should have the $ACCESS capability by default.�If you did not directly cause this AVC through testing.�If you do not believe that $SOURCE_PATH should be attempting to modify the kernel by loading a kernel module.�If you do not believe your $SOURCE_PATH should be modifying the kernel, by loading kernel modules�If you do not think $SOURCE_BASE_PATH should try $ACCESS access on $TARGET_BASE_PATH.�If you do not think $SOURCE_PATH should need to map heap memory that is both writable and executable.�If you do not think $SOURCE_PATH should need to map stack memory that is both writable and executable.�If you do not think $SOURCE_PATH should need to mmap low memory in the kernel.�If you do not want processes to require capabilities to use up all the system resources on your system;�If you think this is caused by a badly mislabeled machine.�If you want to %s�If you want to allow $SOURCE_BASE_PATH to mount on $TARGET_BASE_PATH.�If you want to allow $SOURCE_PATH to be able to write to shared public content�If you want to allow $SOURCE_PATH to bind to network port $PORT_NUMBER�If you want to allow $SOURCE_PATH to connect to network port $PORT_NUMBER�If you want to allow ftpd to write to cifs file systems�If you want to allow ftpd to write to nfs file systems�If you want to allow httpd to execute cgi scripts and to unify HTTPD handling of all content files.�If you want to allow httpd to send mail�If you want to change the label of $TARGET_PATH to %s, you are not allowed to since it is not a valid file type.�If you want to disable IPV6 on this machine�If you want to fix the label.
$SOURCE_PATH default label should be %s.�If you want to fix the label.
$TARGET_PATH default label should be %s.�If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system�If you want to ignore $SOURCE_BASE_PATH trying to $ACCESS access the $TARGET_BASE_PATH $TARGET_CLASS, because you believe it should not need this access.�If you want to ignore this AVC because it is dangerous and your machine seems to be working correctly.�If you want to ignore this AVC because it is dangerous and your wine applications are working correctly.�If you want to modify the label on $TARGET_BASE_PATH so that $SOURCE_BASE_PATH can have $ACCESS access on it�If you want to mv $TARGET_BASE_PATH to standard location so that $SOURCE_BASE_PATH can have $ACCESS access�If you want to to continue using SELinux Firefox plugin containment rather then using mozplugger package�If you want to treat $TARGET_BASE_PATH as public content�If you want to use the %s package�Restore
Context�Restore Context�SELinux is preventing $SOURCE_PATH "$ACCESS" access.�This is caused by a newly created file system.�Turn off memory protection�You can read '%s' man page for more details.�You might have been hacked.�You must tell SELinux about this by enabling the '%s' boolean.
�You need to change the label on $FIX_TARGET_PATH�You need to change the label on $TARGET_BASE_PATH�You need to change the label on $TARGET_BASE_PATH to public_content_t or public_content_rw_t.�You need to change the label on $TARGET_BASE_PATH'�You need to change the label on $TARGET_PATH to a type of a similar device.�You need to change the label on '$FIX_TARGET_PATH'�You should report this as a bug.
You can generate a local policy module to allow this access.�You should report this as a bug.
You can generate a local policy module to dontaudit this access.�execstack -c %s�if you think that you might have been hacked�setsebool -P %s %s�turn on full auditing to get path information about the offending file and generate the error again.�use a command like "cp -p" to preserve all permissions except SELinux context.�you can run restorecon.�you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.�you may be under attack by a hacker, since confined applications should never need this access.�you may be under attack by a hacker, since confined applications should not need this access.�you may be under attack by a hacker, this is a very dangerous access.�you must change the labeling on $TARGET_PATH.�you must fix the labels.�you must move the cert file to the ~/.cert directory�you must pick a valid file label.�you must remove the mozplugger package.�you must setup SELinux to allow this�you must tell SELinux about this�you must tell SELinux about this by enabling the 'httpd_unified' and 'http_enable_cgi' booleans�you must tell SELinux about this by enabling the vbetool_mmap_zero_ignore boolean.�you must tell SELinux about this by enabling the wine_mmap_zero_ignore boolean.�you must turn off SELinux controls on the Chrome plugins.�you must turn off SELinux controls on the Firefox plugins.�you need to add labels to it.�you need to change the label on $TARGET_PATH to public_content_rw_t, and potentially turn on the allow_httpd_sys_script_anon_write boolean.�you need to diagnose why your system is running out of system resources and fix the problem.
According to /usr/include/linux/capability.h, sys_resource is required to:
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
�you need to fully relabel.�you need to modify the sandbox type. sandbox_web_t or sandbox_net_t.
For example:
sandbox -X -t sandbox_net_t $SOURCE_PATH
Please read 'sandbox' man page for more details.
�you need to report a bug.
This is a potentially dangerous access.�you need to report a bug. This is a potentially dangerous access.�you need to set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and do not blacklist the module'�you need to use a different command. You are not allowed to preserve the SELinux context on the target file system.�you should clear the execstack flag and see if $SOURCE_PATH works correctly.
Report this as a bug on %s.
You can clear the exestack flag by executing:�Project-Id-Version: PACKAGE VERSION
Report-Msgid-Bugs-To:
POT-Creation-Date: 2021-09-07 17:26+0200
PO-Revision-Date: 2018-08-23 05:41-0400
Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>
Language-Team: Chinese (Taiwan) (http://www.transifex.com/projects/p/fedora/language/zh_TW/)
Language: zh_TW
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Plural-Forms: nplurals=1; plural=0;
X-Generator: Zanata 4.6.2
�
dac_override 與 dac_read_search 能力通常表示根程序基於許可權旗標設定而沒有檔案的存取權。這通常代表您有些擁有者/許可權設定有誤的檔案。
�
SELinux 已拒絕來自 $SOURCE 的存取請求。$SOURCE
並不需要此存取因此此存取
可能可能代表系統已遭到嘗試入侵的警訊。應用程式的特定版本或設定
可能是造成它需要額外存取
的原因。
�
SELinux 已拒絕來自 $SOURCE 的存取請求。目前的布林值
設定並不允許此存取。若您並未將 $SOURCE 設為
需要此存取的話,這代表系統可能已遭到嘗試入侵的警訊。若您打算進行
此存取,您需要將此系統上的布林值更改為允許
此存取。
�
SELinux 已拒絕 $SOURCE 以「$ACCESS」方式存取 $TARGET_PATH 裝置。
$TARGET_PATH 標示有誤,此裝置的標籤為預設 /dev 目錄,但這不應該
發生。所有字元與/或區塊裝置都應該有標籤。
您可以試圖更改檔案標籤,請用
restorecon -v '$TARGET_PATH'.
若此裝置仍維持以 device_t 標示,則這應是 SELinux 方針的臭蟲。
請提交臭蟲回報。
若您查看其他類似標籤, ls -lZ /dev/SIMILAR,並找到適合 $TARGET_PATH 的類型,
您可以使用 chcon -t SIMILAR_TYPE '$TARGET_PATH'。若這樣可以修正問題,您可以
透過執行此指令使其永久生效
semanage fcontext -a -t SIMILAR_TYPE '$FIX_TARGET_PATH'
若 restorecon 改變了情境,這表示建立該裝置的應用程式未使用 SELinux API。
若您可以找出是哪個程式建立該裝置的,請針對該程式提交臭蟲回報。
�
嘗試 restorecon -v '$TARGET_PATH' 或 chcon -t SIMILAR_TYPE '$TARGET_PATH'
�
將「$BOOLEAN」布林值更改為 true 將會允許此存取:
「setsebool -P $BOOLEAN=1」
�
將「$BOOLEAN」布林值更改為 true 將會允許此存取:
「setsebool -P $BOOLEAN=1。」
�
若將「allow_ftpd_use_nfs」布林值更改為 true 將會允許此存取:
「setsebool -P allow_ftpd_use_nfs=1。」
�
將 file_context 更改為 mnt_t 可允許 mount 掛載檔案系統:
「chcon -t mnt_t '$TARGET_PATH'」。
您也必須更改系統上的預設檔案情境檔,才能在完整重新標記的情況下將它們保留住。「semanage fcontext -a -t mnt_t '$FIX_TARGET_PATH'」
�
受限制的領域不應需要「sys_resource」。這通常代表您的系統資源(例如磁碟空間、記憶體、配額等等)不足。請清理您的磁碟,
在這之後,此 AVC 訊息便應該會消失。若此 AVC 在您騰出磁碟空間後依然繼續出現的話,請將此情況視為錯誤並回報這項問題。
�
使用者可設定受限的程序,以執行所需的各種存取,SELinux 提供允許您視需求將存取許可開啟/關閉
的布林值。
�
如果該允許 httpd 指令稿寫入公用目錄,您需要開啟 $BOOLEAN 布林值,並將公共目錄的檔案情境變更為 public_content_rw_t。請閱讀 httpd_selinux
man 頁面以瞭解更多資訊:
「setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t <path>」
您必須也變更系統上的預設檔案情境標籤檔,這樣才能連完整重新標記的情況下也能留住公共目錄標籤。「semanage fcontext -a -t public_content_rw_t <path>」
�
若您信任 $TARGET_PATH 可正確執行的話,您可將
檔案 context 更改為 textrel_shlib_t。「chcon -t textrel_shlib_t
'$TARGET_PATH'」
您也必須要更改系統上的預設檔案情境檔才可將它們保留(就算是進行完全重新標記後)。「semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH'」
�
若您希望 $SOURCE 繼續的話,您必須將 $BOOLEAN 布林值
開啟。請注意:此布林值將會影響系統上
所有的應用程式。
�
若您希望 httpd 傳送郵件,您需要開啟
$BOOLEAN 布林值:「setsebool -P
$BOOLEAN=1」
�
如果您想允許 $SOURCE 綁定至連接埠 $PORT_NUMBER,您可以執行
# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER
PORT_TYPE 為後述之一:%s。
如果此系統正以 NIS Client 執行,開啟 allow_ypbind 布林值可能修正這個問題。setsebool -P allow_ypbind=1。
�
若您想要允許 $SOURCE 連接至連接埠 $PORT_NUMBER,您可以執行
# sandbox -X -t sandbox_net_t $SOURCE
�
若您希望允許 $SOURCE 連至 $PORT_NUMBER,您可執行
# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER
,PORT_TYPE 則為下列其中之一:%s。
�
如果您想變更 $TARGET_PATH 的檔案情境來讓自動掛載器可以執行它,您可以執行「chcon -t bin_t $TARGET_PATH」。如果您想讓它在重新標記後仍可使用,您需要永久性更動檔案情境:執行「semanage fcontext -a -t bin_t '$FIX_TARGET_PATH'」。
�
SELinux 已拒絕 $SOURCE 存取 $TARGET_PATH。
若這是置換空間檔案,它必須有 swapfile_t 的檔案情境標籤。
若您沒有將 $TARGET_PATH 作為置換空間檔案使用的意圖,
本訊息可能暗示有臭蟲,或是有人試圖入侵。
�
SELinux 已拒絕 RSYNC 存取 $TARGET_PATH。
若這是個 RSYNC 儲藏庫,則必須有 rsync_data_t 的檔案情境標籤。
如果您未試圖使用 $TARGET_PATH 作為 RSYNC 儲藏庫,則此訊息
可能代表軟體有臭蟲,或是有人企圖入侵系統。
�
SELinux 已拒絕 $SOURCE 之存取請求。$SOURCE_PATH 可能標示有誤。
$SOURCE_PATH 預設的 SELinux 類型為 <B>%s</B>,
但它目前的類型卻是 <B>$SOURCE_TYPE</B>。將此檔案的類型
更換回預設類型或許能修正您的問題。
<p>
此檔案可能是使用者手誤而標示錯誤,或是一般限定下的程式在
錯誤網域下執行造成。
<p>
然而,這也可能代表 SELinux 中有臭蟲,因為這份檔案不該被
標上此類型。
<p>
若您認為這是臭蟲,請針對此軟體包提交臭蟲回報。
�
SELinux 已拒絕 $SOURCE 提出的請求。可能是 $TARGET_PATH
標示不良。openvpn 有被允許讀取家屋目錄,若它有
正確標示的話。
�
SELinux 已拒絕 $SOURCE 的存取。$TARGET_PATH 可能
標記不良。sshd 有被允許讀取 /root/.ssh 目錄中的內容,
若它有正確標記的話。
�
SELinux 已拒絕 $SOURCE 的存取請求。並未預期 $SOURCE
需要此類存取,而且此類存取可能意味有入侵意圖。也有可能該
應用程式的特定版本或組態導致它需要其他存取權力。
�
SELinux 已拒絕了來自於 $SOURCE 的存取請求。並未預期 $SOURCE 需要此存取權限,並且此存取可能意味著入侵意圖。也有可能該應用程式的特定版本或配置導致它需要額外存取權限。mozplugger 與 spice-xpi 會在 mozilla-plugins 中執行需要存取桌面環境、並且 mozilla_plugin lockdown 所不允許的應用程式,因此您必須關閉 mozilla_plugin lockdown,或是選擇不使用這些軟體包。
�
SELinux 已拒絕了來自於 $SOURCE 的存取請求。並未預期 $SOURCE 需要此存取權限,並且此存取可能意味著入侵意圖。也有可能該應用程式的特定版本或配置導致它需要額外存取權限。spice-xpi 會在 mozilla-plugins 中執行需要存取桌面環境、並且 mozilla_plugin lockdown 所不允許的應用程式,因此您必須關閉 mozilla_plugin lockdown,或是選擇不使用這些軟體包。
�
SELinux 已拒絕透過 $SOURCE 指令所發出的存取請求。這看起來應該是個檔案描述符號漏失 (descriptor leak) 或是 $SOURCE 輸出被重定向至一個它為被允許存取的檔案。漏失一般可被忽略,因為這只是 SELinux 將漏失關閉並回報錯誤。這項應用程式不使用這個檔案描述符號,因此它可正常運作。若這是項重定向的話,您將不會在 $TARGET_PATH 中得到輸出。您應針對於 selinux-policy 提交一份 bugzilla,而這將會被轉至適當的軟體包上。您可安全地忽略此 avc。
�
SELinux 已拒絕 $SOURCE 所請求的 $TARGET_PATH 存取要求。
$TARGET_PATH 含有個用來和不同程式共享的情境。若您也
希望由 $SOURCE 共享 $TARGET_PATH 的話,您需要
將它的檔案情境更改為 public_content_t。若您並未允許
這項存取的話,這代表系統可能已遭到入侵的警訊。
�
SELinux 已拒絕透過 cvs 存取 $TARGET_PATH。
若這是個 CVS 軟體庫,它必須要有個檔案情境標籤
cvs_data_t。若您並未嘗試使用 $TARGET_PATH 為 cvs 儲存庫的話,
這顯示可能是項錯誤,或是它可能也代表系統已遭到嘗試入侵的警訊。
�
SELinux 已拒絕 samba 存取 $TARGET_PATH。
如果您希望和 samba 分享此目錄,則此目錄必須有 samba_share_t 檔案情境標籤。
若您未試圖使用 $TARGET_PATH 作為 samba 儲藏庫,則此訊息可能表示有軟體
臭蟲,或是有人試圖入侵系統。
請參照「man samba_selinux」瞭解更多設置 Samba 和 SELinux 的相關資訊
�
SELinux 已拒絕 xen 存取 $TARGET_PATH。
若這是個 XEN 映像檔的話,它必須要有個檔案情境標籤
為 xen_image_t。該系統已被設置能正確地標記 /var/lib/xen/images
目錄中的映像檔。我們建議您將您的映像檔複製至 /var/lib/xen/images。
若您希望您的 xen 映像檔位於目前的目錄中的話,您可透過使用chcon 來將 $TARGET_PATH 重新標記為 xen_image_t。您也需要執行 semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH' 才可將此
新路徑新增至系統預設值。若您並未嘗試使用 $TARGET_PATH 來作為一個 xen
映像檔的話,這顯示可能有項錯誤或是系統已遭到入侵的警訊。
�
SELinux 已拒絕 $SOURCE 連接網路連接埠 $PORT_NUMBER,這個連接埠沒有相關聯的 SELinux 類型。
若應該允許 $SOURCE 連接 $PORT_NUMBER,則請使用 <i>semanage</i> 指令將 $PORT_NUMBER 指派為 $SOURCE_TYPE 可連接的連接埠類型 (%s)。
若 $SOURCE 不該
連接 $PORT_NUMBER,則這可能代表有人企圖入侵系統。
�
SELinux 已拒絕 $SOURCE 在沙盒內連接網路連接埠 $PORT_NUMBER。
若應該允許 $SOURCE 連接 $PORT_NUMBER,您必須用不同的沙盒類型,如 sandbox_web_t 或 sandbox_net_t。
# sandbox -X -t sandbox_net_t $SOURCE
若 $SOURCE 不該
連接 $PORT_NUMBER,則這可能代表有人企圖入侵系統。
�
SELinux 已拒絕 $SOURCE 存取潛在的
錯誤標記的檔案 $TARGET_PATH。這代表 SELinux 不會
允許 httpd 使用這些檔案。若是 httpd 應被允許存取這些檔案的話,您應將檔案情境更改為下列其中一個類型,%s。
許多第三方應用程式會將 html 檔案
安裝在 SELinux 方針無法預測的目錄中。這些目錄
必須被一個 httpd 可存取的檔案情境所標記。
�
SELinux 已拒絕 $SOURCE 綁定至沒有 SELinux 類型關聯的 $PORT_NUMBER 網路連接埠。
如果應該允許 $SOURCE 聽取 $PORT_NUMBER,請使用 <i>semanage</i> 指令來指派 $PORT_NUMBER 為 $SOURCE_TYPE 可以綁定至的連接埠類型 (%s)。
如果 $SOURCE 不應該
綁定至 $PORT_NUMBER,這可能是有人企圖入侵的訊號。
�
SELinux 已拒絕讓 $SOURCE 有能力 mmap 內核心位址空間的低區域。mmap
位址空間低區域的能力是透過 /proc/sys/kernel/mmap_min_addr 設定而來。
防止這樣的映射方式可協助保護內核心中的 null deref 臭蟲被惡意利用。
所有需要此存取權的應用程式都應該已經有寫入相關方針。
若有受到危害的應用程式試圖修改內核心,就會發出此 AVC 通告。
這是嚴重問題。您的系統極有可能受到危害。
�
SELinux 已拒絕 $SOURCE_PATH 執行潛在的
錯誤標記的檔案 $TARGET_PATH。您可設定 Automounter 來執行
設定檔,若 $TARGET_PATH 是個 automount 可執行的
設定檔的話,它需要有個 bin_t 的檔案標籤。
若 automounter 嘗試執行它所不該執行的檔案,這代表系統可能已遭到嘗試入侵的警訊。
�
SELinux 已拒絕 http 幕後程式寄送郵件。有個 httpd 指令稿
正試圖連接郵件連接埠,或試圖執行 sendmail 指令。
若您未設置過 httpd 去使用 sendmail,這可能代表有人企圖
入侵系統。
�
SELinux 已防止 $SOURCE 載入內核心模組。
所有需要載內核心模組、受限制的程式都應要有個為它們而編寫
的方針。若有個遭到入侵的應用程式
嘗試修改內核心的話,此 AVC 便會產生。這是一項嚴重的
問題。您的系統可能已遭到入侵。
�
SELinux 已防止 $SOURCE 修改 $TARGET。這項拒絕動作
顯示 $SOURCE 嘗試修改 selinux policy 設定。
所有需要這項存取許可的應用程式都應有個為它們而
編寫的方針。若有個遭到入侵的應用程式嘗試修改 SELinux
方針的話,此 AVC 便會產生。這是一項嚴重的問題。您的系統
可能已遭到入侵。
�
SELinux 已防止 $SOURCE 修改 $TARGET。這項拒絕動作
顯示 $SOURCE 嘗試修改內核心的執行方式或是
實際地將程式碼插入內核心中。所有需要這項存取許可的應用程式
都應該已有針對於它們的方針被編寫。若有項受到入侵的
應用程式嘗試修改內核心的話,這個 AVC 便會產生。這是個
嚴重的問題。您的系統可能已遭到入侵。
�
SELinux 已防止 $SOURCE 將檔案寫入 /sys/fs/selinux。
在 /sys/fs/selinux 之下的檔案會控制 SELinux 的設定方式。
需要寫入 /sys/fs/selinux 檔案的所有程式應該已經有為其
寫入的方針。若有受到危害的應用程式試圖關閉 SELinux,
則會發出此 AVC。這是個嚴重問題。您的系統極有可能
受到危害。
�
SELinux 已防止 vbetool 進行一項不安全的記憶體作業。
�
SELinux 已防止 wine 執行一項不安全的記憶體操作。
�
SELinux 已防止 $SOURCE 在檔案系上建立一個 context 為 $SOURCE_TYPE 的檔案。
通常當在檔案系統之間進行複製時 (比方說「cp -a」),若您要求 cp 指令保留檔案的情境,
這便會發生。在檔案系統之間,並非所有檔案的情境
都必須被保留住。比方說,一個唯讀的檔案類型 (例如 iso9660_t) 不該被
設置在一個 r/w 的系統上。「cp -p」可能會是個較好的解決方案,因為這將會為目的地採用
預設的檔案情境。
�
SELinux 已防止 $SOURCE_PATH「$ACCESS」存取 $TARGET_PATH。
�
SELinux 已防止 $SOURCE_PATH「$ACCESS」存取 $TARGET_PATH。
�
SELinux 已防止 $SOURCE_PATH「$ACCESS」存取裝置 $TARGET_PATH。
�
SELinux 已防止 $SOURCE_PATH「$ACCESS」存取 $TARGET_PATH。
�
SELinux 已防止 $SOURCE_PATH 存取一個溢位的 $TARGET_PATH 檔案描述符號。
�
SELinux 已防止 $SOURCE_PATH 綁定至通訊埠 $PORT_NUMBER。
�
SELinux 已防止 $SOURCE_PATH 更改堆疊上的
記憶體存取保護。
�
SELinux 已防止 $SOURCE_PATH 連至通訊埠 $PORT_NUMBER。
�
SELinux 已防止 $SOURCE_PATH 在檔案系上建立一個情境為 $SOURCE_TYPE 的檔案。
�
SELinux 已防止 $SOURCE_PATH 載入需要文字重定位的 $TARGET_PATH。
�
SELinux 已防止 $SOURCE_PATH 使程式堆疊變得可執行。
�
SELinux 已防止 $SOURCE_PATH 「$ACCESS」的能力。
�
SELinux 已防止 $SOURCE_PATH「sys_resource」功能。
�
SELinux 已防止 Samba ($SOURCE_PATH)「$ACCESS」存取 $TARGET_PATH。
�
SELinux 已防止 cvs ($SOURCE_PATH)「$ACCESS」存取 $TARGET_PATH。
�
SELinux 已防止 $SOURCE_PATH 使用可能錯誤標記的檔案 $TARGET_PATH。
�
SELinux 已防止 http 幕後程式傳送郵件。
�
SELinux 已防止 xen ($SOURCE_PATH) 存取 $TARGET_PATH。
�
SELinux 方針防止 httpd 指令稿寫入公用的
目錄。
�
SELinux 方針防止 httpd 指令稿寫入公用的
目錄中。若 httpd 並未被設置可寫入公用目錄的話,這
代表系統可能已遭到嘗試入侵的警訊。
�
SELinux 已防止 $SOURCE 將檔案系統掛載至檔案
或目錄上「$TARGET_PATH」類型為「$TARGET_TYPE」。就預設值來講,
SELinux 會將檔案系統的掛載限制為僅有某些檔案或
目錄(這些檔案或目錄的類型皆含有掛載點屬性)。
「$TARGET_TYPE」這個類型並沒有此屬性。您可更改檔案或目錄的
標籤。
�
SELinux 已防止 $SOURCE 在檔案或目錄
「$TARGET_PATH」(「$TARGET_TYPE」類型) 上進行掛載。
�
SELinux 已防止 httpd $ACCESS 存取 $TARGET_PATH。
在所有檔案未明確標記之前,httpd 指令稿不
允許對於內容進行寫入。若 $TARGET_PATH 為可寫入的內容的話,它需要
被標記為 httpd_sys_rw_content_t,或是若您只需要進行附加的話,您可將其標記為 httpd_sys_ra_content_t。欲取得更多有關於設定 httpd 和 selinux 上的相關資訊,請參閱「man httpd_selinux」。
�
SELinux 已阻止 httpd $ACCESS 存取 http 檔案。
一般而言會允許 httpd 完整存取所有標有 http 檔案情境的檔案。
這部機器已將 $BOOLEAN 關閉而有較緊縮的安全方針,這就
必須明確標示所有檔案。若檔案是 cgi 指令稿,則其需要標有
httpd_TYPE_script_exec_t 以便執行。
若它是唯讀的內容,則需要標有 httpd_TYPE_content_t。
若它是可寫入的內容,則需要標有 httpd_TYPE_script_rw_t 或
httpd_TYPE_script_ra_t。您可以使用 chcon 指令來更改這些情境。
請參考手冊頁面 「man httpd_selinux」或
<a href="http://fedora.redhat.com/docs/selinux-apache-fc3">FAQ</a>
"TYPE" 代表「sys」、「user」、「staff」或其他潛在指令稿類型之一。
�
SELinux 已防止 httpd $ACCESS 存取 http 檔案。
�
SELinux 已防止 ftp 幕後程式 $ACCESS 檔案儲存於 CIFS 檔案系統。
�
SELinux 已防止 ftp 幕後程式 $ACCESS 儲存於 CIFS 檔案系統上的檔案。
CIFS(Comment Internet File System)是個和 SMB 相似的網路檔案系統
(<a href="http://www.microsoft.com/mind/1196/cifs.asp">http://www.microsoft.com/mind/1196/cifs.asp</a>)
ftp 幕後程式嘗試由一個此類型的已掛載檔案系統
讀取一個或更多個檔案或目錄。因為 CIFS 檔案系統不支援
fine-grained 的 SELinux 標記,因此所有檔案系統中的
檔案和目錄都會擁有相同的安全情境。
若您並未設定 ftp 幕後程式來讀取 CIFS 檔案系統中的檔案的話,
此存取代表系統可能已遭到嘗試入侵的警訊。
�
SELinux 已防止 ftp 幕後程式 $ACCESS 檔案儲存於 NFS 檔案系統。
�
SELinux 已防止 ftp 幕後程式 $ACCESS 儲存於 NFS 檔案系統上的檔案。
NFS (Network Filesystem) 是個普遍使用在 Unix / Linux 系統上的網路
檔案系統。
ftp 幕後程式嘗試由一個此類型的已掛載檔案系統
讀取一個或更多個檔案或目錄。因為 NFS 檔案系統不支援
fine-grained 的 SELinux 標記,因此所有檔案系統中的
檔案和目錄都會擁有相同的安全情境。
若您並未設定 ftp 幕後程式來讀取 NFS 檔案系統中的檔案的話,
此存取代表系統可能已遭到嘗試入侵的警訊。
�
有時函式庫會意外標有 execstack 旗標,若您找到貼有此旗標
的函式庫,您應該用 execstack -c LIBRARY_PATH 將它清除。
接著重試您的應用程式。若該程式變得無法運作,您可以再使
用 execstack -s LIBRARY_PATH 復原旗標。
�
$SOURCE 應用程式嘗試更改堆疊上的記憶體 (利用 malloc 來分配的) 存取
保護。這是個潛在的安全性
問題。應用程式不該這麼作。應用程式有時
會被錯誤編寫,並要求此許可。
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux 記憶體保護測試</a>
網頁解釋如何移除這項需求。若 $SOURCE 無法運作而
您需要它運作的話,您可透過暫時性地設定 SELinux 以允許
這項存取,直到應用程式被修復。請針對於此軟體包提交一份
錯誤報告。
�
$SOURCE 應用程式試圖載入 $TARGET_PATH,而它要求作文字重新定位。
這潛藏安全問題。
大多數函式庫不需要此權限。函式庫有時編寫不正確,所以要求此權限。
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux 記憶體保護測試</a>
網頁有解釋如何移除此要求。您可以暫時將 SELinux 設定為
允許 $TARGET_PATH 使用重新定位作為補救措施,直到該函式庫
修正為止。請您提交臭蟲回報。
�
$SOURCE 應用程式試圖載入 $TARGET_PATH,而它要求作文字重新定位。
這潛藏安全問題。
大多數函式庫不應需要此權限。
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux 記憶體保護測試</a>
網頁有解釋這項檢查。此工具已檢閱該函式庫,看來它似乎有正確建置。
所以 setroubleshoot 無法判定此應用程式是否會造成系統危害。這可能是個
嚴重問題。您的系統極可能受到危害。
請聯絡您的安全管理員,並報告此議題。
�
$SOURCE 應用程式嘗試使它的堆疊
變得可執行。這是個潛在的安全性問題。這應該從未是
必要的。堆疊記憶體在大多數現今的作業系統上是無法執行的,
並且這是不會改變的。可執行的堆疊記憶體
屬於最大的安全性問題之一。實際上,execstack 錯誤最可能
是因為有害的程式碼所造成的。應用程式
有時會被錯誤編寫因而請求此許可。
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux 記憶體保護測試</a>
網頁解釋如何移除此需求。若 $SOURCE 無法運作
而您需要它運作的話,您可透過暫時性地
設定 SELinux,以允許此存取,直到應用程式被修復。請提交一份
錯誤報告。
�
使用一項類似「cp -p」的指令來保留所有除 SELinux 情境以外的許可權設定。
�
您可以執行 chcon -R -t cvs_data_t '$TARGET_PATH' 來改變檔案情境
即使是要完全重新標示,您也必須更改系統上的預設檔案情境檔作為預防。 "semanage fcontext -a -t cvs_data_t '$FIX_TARGET_PATH'"
�
您可透過執行 chcon -R -t rsync_data_t '$TARGET_PATH' 來修改檔案情境
您也必須更改系統上的預設檔案情境檔,才能在完整標記的情況下將它們保留住。「semanage fcontext -a -t rsync_data_t '$FIX_TARGET_PATH'」
�
您可透過執行 chcon -R -t samba_share_t '$TARGET_PATH' 來修改檔案情境
您也必須更改系統上的預設檔案情境檔,才能在完整標記的情況下將它們保留住。「semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH'」
�
您可透過執行 chcon -t public_content_t '$TARGET_PATH' 來修改檔案情境
您也必須更改系統上的預設檔案情境檔,才能在完整重新標記的情況下將它們保留住。「semanage fcontext -a -t public_content_t '$FIX_TARGET_PATH'」
�
您可透過執行 chcon -t swapfile_t '$TARGET_PATH' 來修改檔案情境
您也必須更改系統上的預設檔案情境檔,才能在完整標記的情況下將它們保留住。「semanage fcontext -a -t swapfile_t '$FIX_TARGET_PATH'」
�
您可透過執行 chcon -t virt_image_t '$TARGET_PATH' 來修改檔案情境
您也必須更改系統上的預設檔案情境檔,才能在完整標記的情況下將它們保留住。「semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'」
�
您可透過執行 chcon -t xen_image_t '$TARGET_PATH' 來修改檔案情境
您也必須更改系統上的預設檔案情境檔,才能在完整標記的情況下將它們保留住。「semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH'」
�
您可以 root 身份執行下列指令來重新標記您
的電腦系統:「touch /.autorelabel; reboot」
�
您可產生一份本機方針模組以允許這項
存取 - 請參閱 <a href="http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385">FAQ</a>
請提交一份錯誤報告。
�
您可產生一份本機方針模組來允許這項
存取 - 請參閱 <a href="http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385">FAQ</a>
�
您可以還原此檔案的預設系統情境,請執行
restorecon 指令。
# restorecon -R /root/.ssh
�
您可以還原此檔案的預設系統情境,請執行
restorecon 指令。
# restorecon -R /root/.ssh
�
您可以執行 restorecon 指令還原預設系統情境。
restorecon '$SOURCE_PATH'。
�
您可透過執行 restorecon 指令來還原此檔案的
預設系統情境。restorecon '$TARGET_PATH',若此檔案是個目錄的話,
您可透過使用 restorecon -R '$TARGET_PATH' 來遞迴地還原。
�
您的系統可能已嚴重遭到入侵!
�
您的系統可能已嚴重遭到入侵!$SOURCE_PATH 已嘗試 mmap 低層的內核心記憶體。
�
您的系統可能已嚴重遭到入侵!$SOURCE_PATH 已嘗試載入內核心模組。
�
您的系統可能已嚴重遭到入侵!$SOURCE_PATH 已嘗試修改 SELinux enforcement。
�
您的系統可能已嚴重遭到入侵!$SOURCE_PATH 已嘗試修改內核心組態。
�
適當停用 IPV6。
�
可以透過 'yum remove mozplugger' 的執行來移除 mozplluger 軟體包
或關閉 SELinux 對 Firefox 外掛程式的強制執行。
setsebool -P unconfined_mozilla_plugin_transition 0
�
您可以透過執行「yum remove mozplugger spice-xpi」來移除 mozplluger 或 spice-xpi 軟體包
或是關閉 SELinux 對於 Firefox 外掛程式的強制執行。setsebool -P unconfined_mozilla_plugin_transition 0
�
您可以透過「yum remove mozplugger spice-xpi」來移除 mozplugger spice-xpi 軟體包或是關閉 SELinux 對於 Chrome 外掛程式的安全性實作。setsebool -P unconfined_chrome_sandbox_transition 0
�
若您決定繼續執行疑似有問題的程式,您將需要
先允許進行這項作業。您可透過在指令列上輸入
這項指令來完成這項動作:
# setsebool -P mmap_low_allowed 1
�
SELinux 已拒絕一項 $SOURCE 所請求的作業,這是個用來
修改顯示硬體狀態的程式。已得知這項程式會在系統記憶體上
進行一項不安全的作業,而有些惡意軟體/安全漏洞程式也會假冒成 vbetool。這項工具主要
被使用於機器由暫停狀態復原時,重設顯示硬體狀態的情況下。若您的機器
無法正常復原的話,您唯一的選擇就是允許這
項作業並降低您系統對於此種惡意軟體的安全性。
�
SELinux 已拒絕一項來自於 wine-preloader 的作業請求,這是個用來
在 Linux 下執行 Windows 應用程式的程式。已得知這項程式會在系統記憶體上
進行一項不安全的作業,而有些惡意軟體/安全漏洞程式
也會假冒成 wine。若您要嘗試
執行一項 Windows 程式,您唯一的選擇就是允許這項
作業進行,並降低您系統對於此種惡意軟體的安全性,或是
避免在 Linux 下執行 Windows 應用程式。若您並未嘗試
執行一項 Windows 應用程式,這表示您很可能
已經受到惡意軟體的攻擊,或是某些程式正嘗試攻擊您
系統的安全性漏洞。
請參閱
http://wiki.winehq.org/PreloaderPageZeroProblem
在此描述 wine 基於未安全使用記憶體,而遇上的其它
問題,以及相關問題的解決方法。
�
開啟完整稽核
# auditctl -w /etc/shadow -p w
嘗試重新建立 AVC。然後執行
# ausearch -m avc -ts recent
若您看見 PATH record,請檢查檔案上的擁有權/權限,並將它修正,
否則請將它提交至 bugzilla。�
您嘗試對 %s 放置非檔案類型的類型。不允許如此執行,您必須指派檔案類型。您可以使用 seinfo 指令列出所有檔案類型。
seinfo -afile_type -x
� 若將「$BOOLEAN」和
「$WRITE_BOOLEAN」布林值更改為 true 的話將可允許此存取:
「setsebool -P $BOOLEAN=1 $WRITE_BOOLEAN=1」。
警告:若將「$WRITE_BOOLEAN」布林值設為 true 的話將會
允許 ftp 幕後程式除寫入
CIFS 檔案系統上的檔案與目錄之外,還可對所有的公用內容進行寫入 (類型為 public_content_t 的檔案
和目錄)。 � 變更 "allow_ftpd_use_nfs" 和
"ftpd_anon_write" 布林值為真,會允許此項存取:
"setsebool -P allow_ftpd_use_nfs=1 ftpd_anon_write=1"。
警告:將 "ftpd_anon_write" 布林值設為真,會允許 ftp 幕後程式
寫入所有公用內容(有 public_content_t 類型的檔案和目錄),
此外還能寫入 NFS 檔案系統上的檔案和目錄。 �# ausearch -x $SOURCE_PATH --raw | audit2allow -D -M my-$SOURCE
# semodule -X 300 -i my-$SOURCE.pp�# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
FILE_TYPE 為後述之一:%s。
接著執行:
restorecon -v '$FIX_TARGET_PATH'
�# semanage fcontext -a -t SIMILAR_TYPE '$FIX_TARGET_PATH'
# restorecon -v '$FIX_TARGET_PATH'�# semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH%s'
# restorecon %s -v '$FIX_TARGET_PATH'�# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'
# restorecon -v '$FIX_TARGET_PATH'�# semanage port -a -t %s -p %s $PORT_NUMBER�# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER
PORT_TYPE 為後述之一:%s。�有程序可能試圖駭進您的系統。�將
net.ipv6.conf.all.disable_ipv6 = 1
加入至 /etc/sysctl.conf
�立刻允許此存取,請執行:
# ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME
# semodule -X 300 -i my-$MODULE_NAME.pp�變更檔案情境。�變更標籤�變更函式庫標籤。�請聯絡您的安全管理員,並回報此議題。�停用 Chrome 外掛程式的 SELinux 控制項�啟用布林�啟用布林。�是否 $TARGET_BASE_PATH 為虛擬化目標�是否 $TARGET_BASE_PATH 應該透過 RSYNC 幕後程式共享�若 $TARGET_BASE_PATH 應該透過 cvs 幕後程式分享�若您相信應該允許 $SOURCE_BASE_PATH 建立 $TARGET_BASE_PATH 檔案�若您相信 $SOURCE_PATH 曾試圖停用 SELinux。�若您相信
%s
不應需要 execstack�如果你認為預設值 $SOURCE_BASE_PATH 應該在 $TARGET_CLASS (標籤 $TARGET_TYPE)上允許 $ACCESS 存取權限�若您相信 $SOURCE_BASE_PATH 應該預設讓標有 $TARGET_TYPE 的程序允許 $ACCESS 存取。�若您相信 $SOURCE_BASE_PATH 應該預設允許在 $TARGET_BASE_PATH $TARGET_CLASS 上作 $ACCESS 存取。�若您相信 $SOURCE_BASE_PATH 應該預設有 $ACCESS 能力。�若您不是透過測試直接導致此 AVC。�若您不相信 $SOURCE_PATH 應該試圖透過載入內核心模組來修改內核心。�若您不相信您的 $SOURCE_PATH 應該透過載入內核心模組來修改內核心�若您認為 $SOURCE_BASE_PATH 不應嘗試對 $TARGET_BASE_PATH 作 $ACCESS 存取。�若您認為 $SOURCE_PATH 不應該需要可讀、可寫地映射堆積記憶體。�若您認為 $SOURCE_PATH 不應該需要可讀、可寫地映射堆疊記憶體。�若您不認為 $SOURCE_PATH 應該需要 mmap 低記憶體到內核心中。�若您不希望程序必須有能力用上您系統中的所有系統資源;�若您認為這是因為機器標籤設定不良導致。�若您希望 %s�如果你希望允許 $SOURCE_BASE_PATH 掛載到 $TARGET_BASE_PATH 上。�若您希望允許 $SOURCE_PATH 寫入共享的公用內容�若您希望允許 $SOURCE_PATH 綁定網路連接埠 $PORT_NUMBER�若您希望允許 $SOURCE_PATH 連接網路連接埠 $PORT_NUMBER�若您希望允許 ftpd 寫入 cifs 檔案系統�若您希望允許 ftpd 寫入 nfs 檔案系統�若您希望允許 httpd 執行 cgi 指令稿,且統合所有內容檔案的 HTTPD 處理。�若您希望允許 httpd 寄送郵件�若您希望將 $TARGET_PATH 的標籤變更為 %s,則無法允許您如此,因為它不是有效的檔案類型。�若您希望停用此機器的 IPV6�若您希望修正標籤。
$SOURCE_PATH 預設標籤應該為 %s。�若您希望修正該標籤。
$TARGET_PATH 預設標籤應該為 %s。�若您希望協助辨別網域是否需要此存取,或是您系統上有檔案的權限設定錯誤�若您希望忽略 $SOURCE_BASE_PATH 試圖對 $TARGET_BASE_PATH $TARGET_CLASS 作 $ACCESS 存取,因為您相信它不應需要此存取。�若您希望忽略此 AVC 因為覺得危險,而且您的機器似乎看起來有正確運作。�若您希望忽略此 AVC 因為覺得危險,而且您的 wine 應用程式有正確運作。�若您希望修改 $TARGET_BASE_PATH 上的標籤以讓 $SOURCE_BASE_PATH 可對其有 $ACCESS 存取�若您希望 mv $TARGET_BASE_PATH 到標準位置以讓 $SOURCE_BASE_PATH 可有 $ACCESS 存取�若您希望繼續使用 SELinux Firefox 外掛程式容器而非使用 mozplugger 軟體包�若您希望將 $TARGET_BASE_PATH 視為公用內容�若您希望使用 %s 軟體包�還原
情境�還原情境�SELinux 已防止 $SOURCE_PATH 「$ACCESS」存取。�這起因為新建檔案系統導致。�關閉記憶體保護�您可以讀取「%s」手冊頁面瞭解更多細節。�您可能已經被駭。�您必須啟用「%s」布林值以通知 SELinux。
�您需要更改 $FIX_TARGET_PATH 上的標籤�您需要變更 $TARGET_BASE_PATH 上的標籤�您需要將 $TARGET_BASE_PATH 上的標籤更改為 public_content_t 或是 public_content_rw_t。�您需要更改 $TARGET_BASE_PATH' 上的標籤�您需要將 $TARGET_PATH 上的標籤更改為相似裝置的類型。�您需要更改 '$FIX_TARGET_PATH' 上的標籤�您應將此回報為錯誤。
您可產生本機模組,以允許這項存取。�您應將此作為錯誤提交。
您可產生本機方針模組,以 dontaudit 這項存取。�execstack -c %s�若您認為可能已經被入侵�setsebool -P %s %s�開啟完整稽核以取得有關於違例檔案的相關資訊,並再次產生錯誤。�使用像是「cp -p」的指令來保留完整許可權設定,但不包含 SELinux 情境。�您可以執行 restorecon。�您可以執行 restorecon。存取的企圖可能已經停止,因為權限不足以存取上層目錄,此情況下請嘗試更換下列指令。�您可能遭受駭客攻擊,因為受限制的應用程式應該永遠不需要這種存取動作。�您可能遭受駭客攻擊,因為受限制的應用程式永遠不需要這種存取動作。�您可能遭受駭客攻擊,這是相當危險的存取動作。�您必須更改 $TARGET_PATH 上的標簽。�您必須修正標籤。�您必須將憑證檔案移至 ~/.cert 目錄�您必須挑選有效的檔案標籤。�您必須移除 mozplugger 軟體包。�您必須設定 SELinux 以允許 httpd�您必須告知 SELinux�您必須啟用 'httpd_unified' 和 'http_enable_cgi' 布林值,以告知 SELinux 有關於此動作�您必須透過啟用 vbetool_mmap_zero_ignore 布林值,來告知 SELinux 有關於此。�您必須透過啟用 wine_mmap_zero_ignore 布林值來告知 SELinux 有關於此。�您必須關閉 Chrome 外掛程式的 SELinux 控制項。�您必須關閉 Firefox 外掛程式的 SELinux 控制項。�您需要為它增加標籤。�您需要將 $TARGET_PATH 上的標籤更改為 public_content_rw_t,並開啟 allow_httpd_sys_script_anon_write 布林值。�您需要診斷出為何您的系統會耗盡系統資源,並修正這個問題。
根據 /usr/include/linux/capability.h,sys_resource 必須:
/* 凌駕資源限制。設定資源限制。 */
/* 凌駕配額限制。 */
/* 凌駕 ext2 檔案系統上的保留空間。 */
/* 修改 ext3 檔案系統上的資料日誌模式(使用日誌
資源) */
/* 備註:ext2 在檢查資源凌駕時會尊重 fsuid,所以您也可以
用 fsuid 凌駕 */
/* 凌駕 IPC 訊息佇列的大小限制 */
/* 允許高於實時時鐘 64hz 次的中斷 */
/* 凌駕終端機分配的最大終端機數 */
/* 凌駕 keymap 的最大數 */
�您需要完整重新標記。�您需要修改沙盒類型。sandbox_web_t 或 sandbox_net_t。
舉例:
sandbox -X -t sandbox_net_t $SOURCE_PATH
請閱讀 'sandbox' man 頁面瞭解更多細節。
�您需要提交錯誤報告。
這是一項高風險的存取。�您需要回報臭蟲。這個存取潛藏危險。�您需要將 /proc/sys/net/ipv6/conf/all/disable_ipv6 設為 1,並請勿將 module' 列入黑名單中�您需要使用不同的指令。您不允許將 SELinux 情境保留在目標檔案系統上。�您應清除 execstack 旗標,並查看 $SOURCE_PATH 是否能正常運作。
請將此作為錯誤提交至 %s。
您可藉由執行以下指令清除 exestack 旗標:�
Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists