Whats this sys_admin capability
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 11 19:46:45 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/11/2013 02:42 PM, Tony Molloy wrote:
>
> Hi,
>
> I'm seeing messages similar to the following for a number of services on a
> recently updated Centos 6.4 system.
>
> I can generate local policies for each service but is there some boolean
> which can affecdt this sys_admin capability.
>
>
>
> Mar 9 12:45:10 youngmunster setroubleshoot: SELinux is preventing
> /usr/sbin/nmbd from using the sys_admin capability. For complete SELinux
> messages. run sealert -l 5a37dd50-b60c-4a1c-b97d-6d62baeee33a
>
>
>
> [root at youngmunster ~]# sealert -l 5a37dd50-b60c-4a1c-b97d-6d62baeee33a
> SELinux is preventing /usr/sbin/nmbd from using the sys_admin capability.
>
> ***** Plugin catchall (100. confidence) suggests
> ***************************
>
> If you believe that nmbd should have the sys_admin capability by default.
> Then you should report this as a bug. You can generate a local policy
> module to allow this access. Do allow this access for now by executing: #
> grep nmbd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i
> mypol.pp
>
>
> Thanks,
>
> Tony -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
less /usr/include/capability.h
...
/* Allow configuration of the secure attention key */
/* Allow administration of the random device */
/* Allow examination and configuration of disk quotas */
/* Allow setting the domainname */
/* Allow setting the hostname */
/* Allow calling bdflush() */
/* Allow mount() and umount(), setting up new smb connection */
/* Allow some autofs root ioctls */
/* Allow nfsservctl */
/* Allow VM86_REQUEST_IRQ */
/* Allow to read/write pci config on alpha */
/* Allow irix_prctl on mips (setstacksize) */
/* Allow flushing all cache on m68k (sys_cacheflush) */
/* Allow removing semaphores */
/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
and shared memory */
/* Allow locking/unlocking of shared memory segment */
/* Allow turning swap on/off */
/* Allow forged pids on socket credentials passing */
/* Allow setting readahead and flushing buffers on block devices */
/* Allow setting geometry in floppy driver */
/* Allow turning DMA on/off in xd driver */
/* Allow administration of md devices (mostly the above, but some
extra ioctls) */
/* Allow tuning the ide driver */
/* Allow access to the nvram device */
/* Allow administration of apm_bios, serial and bttv (TV) device */
/* Allow manufacturer commands in isdn CAPI support driver */
/* Allow reading non-standardized portions of pci configuration space */
/* Allow DDI debug ioctl on sbpcd driver */
/* Allow setting up serial ports */
/* Allow sending raw qic-117 commands */
/* Allow enabling/disabling tagged queuing on SCSI controllers and sending
arbitrary SCSI commands */
/* Allow setting encryption key on loopback filesystem */
/* Allow setting zone reclaim policy */
#define CAP_SYS_ADMIN 21
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlE+NKQACgkQrlYvE4MpobNXPgCgnrK6o3gS28ccExbpfJyspsVZ
arEAoLoBqZuaqUXrSLTmZ0TCPMwTY+tH
=MRJm
-----END PGP SIGNATURE-----
More information about the selinux
mailing list