Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Testing privileges -lock lockfile /var/lock/subsys/..- Permission denied
Top Forums UNIX for Advanced & Expert Users Testing privileges -lock lockfile /var/lock/subsys/..- Permission denied Post 302558189 by Dedalus on Friday 23rd of September 2011 04:22:33 AM
Old 09-23-2011
Hi,

thx for reply.
This script is really basic here there's the section I was talking about:

Code:
RC=0
for command in ${forbidden_command_array[@]}; do
   $command
   RC1=$(($?-EXP_RET_CODE)) 

   let "RC=(($RC || $RC1))"
done

so at the end if RC is equal to zero means that all return codes were equal to the expected ones.
One pratical example that doesn't work is the command:
Quote:
service syslog restart
if an unauthorized user try to execute that command I got back the message:
Quote:
Shutting down kernel logger: /etc/init.d/functions: line 141: /var/run/klogd.pid: Permission denied
rm: cannot remove `/var/run/klogd.pid': Permission denied [FAILED]

Shutting down system logger: /etc/init.d/functions: line 141: /var/run/syslogd.pid: Permission denied
rm: cannot remove `/var/run/syslogd.pid': Permission denied[FAILED]

rm: cannot remove `/var/lock/subsys/syslog': Permission denied
Starting system logger: /etc/init.d/functions: line 141: /var/run/syslogd.pid: Permission denied
And the script stop its execution. To get the prompt back I have to type Ctrl-C.
The problem for me is that I would like simply to get back the return code to comprare with the expected one.

Any idea?
thx
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

how to lock keyboard without using lock command

how can I lock my keyboard while I'm away from the computer without using lock command. What other commands gives me the option to lock keyboard device? thanks (7 Replies)
Discussion started by: dianayun
7 Replies

2. UNIX for Dummies Questions & Answers

Files still being created in /var/spool/mmdf/lock/home

Hi all I need help finding a process that is continuing to create files in the above area. There are three sub folder titled addr q.local and msg . I have already found a process called mmdf running and have used the kill command to stop this from running. I have also looked for sendmail or... (12 Replies)
Discussion started by: TeaMaker
12 Replies

3. HP-UX

How to Lock In HP-UX

Hi , How should i implemet a lock function Hp-ux . I want to a lock a file through fcntl in Hp-ux . But is not locking properly . Thanks Narendra (7 Replies)
Discussion started by: naren_chella
7 Replies

4. Shell Programming and Scripting

Lock for this script

Hi, My requirement is to service a process and below is the script which i wrote for that and works fine, I have kept it in a crontab and running this everyminute, how do I lock this if its already running and i dont want to open if its running and not completed yet. The crontab need to run... (4 Replies)
Discussion started by: strunz
4 Replies

5. Shell Programming and Scripting

lock an account

hi how can I Lock an account, by prepending ”*LK*” to the password field in /etc/shadow. I dont want to use passwd -l . Any idea? (3 Replies)
Discussion started by: tjay83
3 Replies

6. Red Hat

Security Question: Lock after invalid login, Session Lock and Required Minimum Password Length

Hello all, If anyone has time, I have a few questions: How do I do the following in Linux. We are using Red Hat and Oracle Enterprise Linux, which is based on Red Hat too. 1. How to lock the account after a few (like 3) invalid password attempts? 2. How do you lock a screen after 30... (1 Reply)
Discussion started by: nstarz
1 Replies

7. Red Hat

/usr/sbin/crond: can't lock /var/run/crond.pid,

please tell pre-requisite steps to activate cron. i activated the cron but it not executing the script which i set in crontab entry.through root user i passed the service crond start it get start.but when i go to etc/init.d and passed crond stop command.it gets crond: can't lock /var/run/crond.pid,... (2 Replies)
Discussion started by: umair
2 Replies

8. UNIX for Advanced & Expert Users

/var/mail/$LOGINNAME.lock

I'm not able to view my inbox mails, I'm using Thunderbird. I have checked the /var/mail/ directory files. There I saw the lock file. . I have removed the lock file and restarted the Thunderbird, again the lock file is created. I have changed the file group as mail from users. after that... (1 Reply)
Discussion started by: ungalnanban
1 Replies

9. Linux

/var/lock/subsys permission denied for root

Hello I have simple line of code here: FILE *lockfp = fopen("/var/lock/subsys/processName", "w"); which is denied even running as root. The result is locking failed for the following reason: Permission denied How is this possible? Why is this happening? Thanks for your... (4 Replies)
Discussion started by: flagman5
4 Replies

10. UNIX for Advanced & Expert Users

Can't open nodes-6379.conf in order to acquire a lock: Permission denied

I am getting error on redis server on linux 7.5 after change the default path /var/lib/redis to /redisdata, and enable cluster-enabled yes. It would be really appreciate if some one can check and suggest on this issue. error code: 1240:C 09 Sep 2018 13:53:51.058 # oO0OoO0OoO0Oo Redis is... (3 Replies)
Discussion started by: nadeemrafikhan
3 Replies

LEARN ABOUT CENTOS

klogd_selinux

klogd_selinux(8)					       SELinux Policy klogd						  klogd_selinux(8)

NAME

       klogd_selinux - Security Enhanced Linux Policy for the klogd processes

DESCRIPTION

       Security-Enhanced Linux secures the klogd processes via flexible mandatory access control.

       The  klogd  processes  execute with the klogd_t SELinux type. You can check if you have these processes running by executing the ps command
       with the -Z qualifier.

       For example:

       ps -eZ | grep klogd_t

ENTRYPOINTS

       The klogd_t SELinux type can be entered via the klogd_exec_t file type.

       The default entrypoint paths for the klogd_t domain are the following:

       /sbin/klogd, /sbin/rklogd, /usr/sbin/klogd, /usr/sbin/rklogd

PROCESS TYPES

       SELinux defines process types (domains) for each process running on the system

       You can see the context of a process using the -Z option to ps

       Policy governs the access confined processes have to files.  SELinux klogd policy is very flexible allowing users to setup their klogd pro-
       cesses in as secure a method as possible.

       The following process types are defined for klogd:

       klogd_t

       Note:  semanage	permissive  -a klogd_t can be used to make the process type klogd_t permissive. SELinux does not deny access to permissive
       process types, but the AVC (SELinux denials) messages are still generated.

BOOLEANS

       SELinux policy is customizable based on least access required.  klogd policy is extremely flexible and has several booleans that allow  you
       to manipulate the policy and run klogd with the tightest access possible.

       If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default.

       setsebool -P daemons_dump_core 1

       If you want to enable cluster mode for daemons, you must turn on the daemons_enable_cluster_mode boolean. Enabled by default.

       setsebool -P daemons_enable_cluster_mode 1

       If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default.

       setsebool -P daemons_use_tcp_wrapper 1

       If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default.

       setsebool -P daemons_use_tty 1

       If  you	want  to  deny	any  process  from ptracing or debugging any other processes, you must turn on the deny_ptrace boolean. Enabled by
       default.

       setsebool -P deny_ptrace 1

       If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default.

       setsebool -P domain_fd_use 1

       If you want to allow all domains to have the kernel load modules, you must turn on  the	domain_kernel_load_modules  boolean.  Disabled	by
       default.

       setsebool -P domain_kernel_load_modules 1

       If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default.

       setsebool -P fips_mode 1

       If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default.

       setsebool -P global_ssp 1

MANAGED FILES

       The  SELinux process type klogd_t can manage files labeled with the following file types.  The paths listed are the default paths for these
       file types.  Note the processes UID still need to have DAC permissions.

       cluster_conf_t

	    /etc/cluster(/.*)?

       cluster_var_lib_t

	    /var/lib/pcsd(/.*)?
	    /var/lib/cluster(/.*)?
	    /var/lib/openais(/.*)?
	    /var/lib/pengine(/.*)?
	    /var/lib/corosync(/.*)?
	    /usr/lib/heartbeat(/.*)?
	    /var/lib/heartbeat(/.*)?
	    /var/lib/pacemaker(/.*)?

       cluster_var_run_t

	    /var/run/crm(/.*)?
	    /var/run/cman_.*
	    /var/run/rsctmp(/.*)?
	    /var/run/aisexec.*
	    /var/run/heartbeat(/.*)?
	    /var/run/cpglockd.pid
	    /var/run/corosync.pid
	    /var/run/rgmanager.pid
	    /var/run/cluster/rgmanager.sk

       klogd_tmp_t

       klogd_var_run_t

	    /var/run/klogd.pid

       root_t

	    /
	    /initrd

FILE CONTEXTS

       SELinux requires files to have an extended attribute to define the file type.

       You can see the context of a file using the -Z option to ls

       Policy governs the access confined processes have to these files.  SELinux klogd policy is very flexible  allowing  users  to  setup  their
       klogd processes in as secure a method as possible.

       STANDARD FILE CONTEXT

       SELinux defines the file context types for the klogd, if you wanted to store files with these types in a diffent paths, you need to execute
       the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.

       semanage fcontext -a -t klogd_exec_t '/srv/klogd/content(/.*)?'
       restorecon -R -v /srv/myklogd_content

       Note: SELinux often uses regular expressions to specify labels that match multiple files.

       The following file types are defined for klogd:

       klogd_exec_t

       - Set files with the klogd_exec_t type, if you want to transition an executable to the klogd_t domain.

       Paths:
	    /sbin/klogd, /sbin/rklogd, /usr/sbin/klogd, /usr/sbin/rklogd

       klogd_tmp_t

       - Set files with the klogd_tmp_t type, if you want to store klogd temporary files in the /tmp directories.

       klogd_var_run_t

       - Set files with the klogd_var_run_t type, if you want to store the klogd files under the /run or /var/run directory.

       Note: File context can be temporarily modified with the chcon command.  If you want to permanently change the file context you need to  use
       the semanage fcontext command.  This will modify the SELinux labeling database.	You will need to use restorecon to apply the labels.

COMMANDS

       semanage fcontext can also be used to manipulate default file context mappings.

       semanage permissive can also be used to manipulate whether or not a process type is permissive.

       semanage module can also be used to enable/disable/install/remove policy modules.

       semanage boolean can also be used to manipulate the booleans

       system-config-selinux is a GUI tool available to customize SELinux policy settings.

AUTHOR

       This manual page was auto-generated using sepolicy manpage .

SEE ALSO

       selinux(8), klogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) , setsebool(8)

klogd								     14-06-10							  klogd_selinux(8)
All times are GMT -4. The time now is 06:00 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy