Re: audit log for "setenforce" changes?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jan 14, 2008 at 02:36:45PM -0500, Daniel J Walsh wrote:
> Do you have user accounts setup in /var/log? /lib/libexec?
> If you have system accounts with homedirs and real shells, you can
> confuse SELinux.  Any system account should have a UID < 500 or a shell
> of /bin/false or /sbin/nologin.

I fixed all accounts to meet these expectations.

There were these which I changed to use shells of /sbin/nologin:

oracle:x:1003:1003:Oracle User:/opt/oracle:/bin/sh
netsaint:x:1005:1005:netsaint:/usr/libexec/netsaint:/bin/sh
autores:x:2000:2000:Autores:/opt/autores:
dhcpd:x:2001:2001:DHCP Daemon:/etc/dhcpd:/bin/bash
autostat:x:2003:2003:Autostatus:/etc/autostatus:/bin/false
nagios:x:2004:2004:nagios:/var/log/nagios:/bin/sh

> You also look like you have root account setup to login as system_u.
> You probably want to execute
> 
> semanage login -m -s unconfined_u root

Done.

Thanks for all the help.  It sounds like I should go through all my 
systems to be sure they meet current SELinux standards.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux