|
|
Subscribe / Log in / New account

Removing run-time disabling for SELinux in Fedora

Removing run-time disabling for SELinux in Fedora

Posted Sep 24, 2020 9:30 UTC (Thu) by ragnar (guest, #139237)
In reply to: Removing run-time disabling for SELinux in Fedora by rwmj
Parent article: Removing run-time disabling for SELinux in Fedora

That is at least encouraging that it is possible to fix problems. But from the examples on that page it is still really difficult to understand more than "access was denied".

to post comments

Removing run-time disabling for SELinux in Fedora

Posted Sep 24, 2020 12:21 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

I would recommend watching

https://www.youtube.com/watch?v=_WOKRaM-HI4

Removing run-time disabling for SELinux in Fedora

Posted Sep 24, 2020 12:40 UTC (Thu) by rwmj (subscriber, #5474) [Link] (2 responses)

What I do is run audit2allow in a terminal, then copy and paste the AVC (SELinux error message) straight into that terminal. It will print the rule that is needed to allow the access, and from there it's usually fairly straightforward to understand what failed. The AVCs can be found in either /var/log/audit/... or ausearch -m avc.

As an example this AVC was produced by abrt a month ago: 

type=AVC msg=audit(1597179780.871:66254): avc:  denied  { setattr }
for  pid=2188952 comm="abrt-action-sav" name="rpmdb.sqlite-shm"
dev="dm-1" ino=1051653 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
and simply pasting that into audit2allow gives me: 
#============= abrt_t ==============
allow abrt_t var_lib_t:file setattr;
which means that abrt wasn't able to setattr (change the permissions) on a file with the var_lib_t label, which I guess is something in /var/lib.

Note that I am definitely no expert on SELinux. If I was really concerned about this I'd file a BZ against selinux-policy and get the experts to look into it.

Removing run-time disabling for SELinux in Fedora

Posted Sep 24, 2020 12:59 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

A few tips:

Ensure that setroubleshoot-server and policycoreutils-python-utils are installed on your system and take advantage of sealert -l "*"

https://access.redhat.com/documentation/en-us/red_hat_ent...

If you have setroubleshoot-server installed before any denials happen, you will get an easy to understand log in /var/log/messages

https://access.redhat.com/documentation/en-us/red_hat_ent...

example:

setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket. For complete SELinux messages. run sealert -l 8c123656-5dda-4e5d-8791-9e3bd03786b7

Running the suggested sealert command will tell you exactly what to do to resolve the problem. In many cases, it is something as simple as toggling a boolean or one liner policy change

Removing run-time disabling for SELinux in Fedora

Posted Oct 1, 2020 9:03 UTC (Thu) by eduperez (guest, #11232) [Link]

I am afraid I did not understand any of what you wrote, I am not a SELinux developer. I could be granting full permissions to a piece of malware, and I would not know the difference.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds