-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/11/2013 02:42 PM, Tony Molloy wrote: > > Hi, > > I'm seeing messages similar to the following for a number of services on a > recently updated Centos 6.4 system. > > I can generate local policies for each service but is there some boolean > which can affecdt this sys_admin capability. > > > > Mar 9 12:45:10 youngmunster setroubleshoot: SELinux is preventing > /usr/sbin/nmbd from using the sys_admin capability. For complete SELinux > messages. run sealert -l 5a37dd50-b60c-4a1c-b97d-6d62baeee33a > > > > [root@youngmunster ~]# sealert -l 5a37dd50-b60c-4a1c-b97d-6d62baeee33a > SELinux is preventing /usr/sbin/nmbd from using the sys_admin capability. > > ***** Plugin catchall (100. confidence) suggests > *************************** > > If you believe that nmbd should have the sys_admin capability by default. > Then you should report this as a bug. You can generate a local policy > module to allow this access. Do allow this access for now by executing: # > grep nmbd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i > mypol.pp > > > Thanks, > > Tony -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > less /usr/include/capability.h ... /* Allow configuration of the secure attention key */ /* Allow administration of the random device */ /* Allow examination and configuration of disk quotas */ /* Allow setting the domainname */ /* Allow setting the hostname */ /* Allow calling bdflush() */ /* Allow mount() and umount(), setting up new smb connection */ /* Allow some autofs root ioctls */ /* Allow nfsservctl */ /* Allow VM86_REQUEST_IRQ */ /* Allow to read/write pci config on alpha */ /* Allow irix_prctl on mips (setstacksize) */ /* Allow flushing all cache on m68k (sys_cacheflush) */ /* Allow removing semaphores */ /* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory */ /* Allow locking/unlocking of shared memory segment */ /* Allow turning swap on/off */ /* Allow forged pids on socket credentials passing */ /* Allow setting readahead and flushing buffers on block devices */ /* Allow setting geometry in floppy driver */ /* Allow turning DMA on/off in xd driver */ /* Allow administration of md devices (mostly the above, but some extra ioctls) */ /* Allow tuning the ide driver */ /* Allow access to the nvram device */ /* Allow administration of apm_bios, serial and bttv (TV) device */ /* Allow manufacturer commands in isdn CAPI support driver */ /* Allow reading non-standardized portions of pci configuration space */ /* Allow DDI debug ioctl on sbpcd driver */ /* Allow setting up serial ports */ /* Allow sending raw qic-117 commands */ /* Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands */ /* Allow setting encryption key on loopback filesystem */ /* Allow setting zone reclaim policy */ #define CAP_SYS_ADMIN 21 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlE+NKQACgkQrlYvE4MpobNXPgCgnrK6o3gS28ccExbpfJyspsVZ arEAoLoBqZuaqUXrSLTmZ0TCPMwTY+tH =MRJm -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
