Re: Whats this sys_admin capability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/11/2013 02:42 PM, Tony Molloy wrote:
> 
> Hi,
> 
> I'm seeing messages similar to the following for a number of services on a
> recently updated Centos 6.4 system.
> 
> I can generate local policies for each service but is there some boolean
> which can affecdt this sys_admin capability.
> 
> 
> 
> Mar  9 12:45:10 youngmunster setroubleshoot: SELinux is preventing 
> /usr/sbin/nmbd from using the sys_admin capability. For complete SELinux
> messages. run sealert -l 5a37dd50-b60c-4a1c-b97d-6d62baeee33a
> 
> 
> 
> [root@youngmunster ~]# sealert -l 5a37dd50-b60c-4a1c-b97d-6d62baeee33a 
> SELinux is preventing /usr/sbin/nmbd from using the sys_admin capability.
> 
> *****  Plugin catchall (100. confidence) suggests 
> ***************************
> 
> If you believe that nmbd should have the sys_admin capability by default. 
> Then you should report this as a bug. You can generate a local policy
> module to allow this access. Do allow this access for now by executing: #
> grep nmbd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i
> mypol.pp
> 
> 
> Thanks,
> 
> Tony -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

less /usr/include/capability.h

...

/* Allow configuration of the secure attention key */
/* Allow administration of the random device */
/* Allow examination and configuration of disk quotas */
/* Allow setting the domainname */
/* Allow setting the hostname */
/* Allow calling bdflush() */
/* Allow mount() and umount(), setting up new smb connection */
/* Allow some autofs root ioctls */
/* Allow nfsservctl */
/* Allow VM86_REQUEST_IRQ */
/* Allow to read/write pci config on alpha */
/* Allow irix_prctl on mips (setstacksize) */
/* Allow flushing all cache on m68k (sys_cacheflush) */
/* Allow removing semaphores */
/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
   and shared memory */
/* Allow locking/unlocking of shared memory segment */
/* Allow turning swap on/off */
/* Allow forged pids on socket credentials passing */
/* Allow setting readahead and flushing buffers on block devices */
/* Allow setting geometry in floppy driver */
/* Allow turning DMA on/off in xd driver */
/* Allow administration of md devices (mostly the above, but some
   extra ioctls) */
/* Allow tuning the ide driver */
/* Allow access to the nvram device */
/* Allow administration of apm_bios, serial and bttv (TV) device */
/* Allow manufacturer commands in isdn CAPI support driver */
/* Allow reading non-standardized portions of pci configuration space */
/* Allow DDI debug ioctl on sbpcd driver */
/* Allow setting up serial ports */
/* Allow sending raw qic-117 commands */
/* Allow enabling/disabling tagged queuing on SCSI controllers and sending
   arbitrary SCSI commands */
/* Allow setting encryption key on loopback filesystem */
/* Allow setting zone reclaim policy */

#define CAP_SYS_ADMIN        21



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlE+NKQACgkQrlYvE4MpobNXPgCgnrK6o3gS28ccExbpfJyspsVZ
arEAoLoBqZuaqUXrSLTmZ0TCPMwTY+tH
=MRJm
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux