LWN: Comments on "Removing run-time disabling for SELinux in Fedora" https://lwn.net/Articles/831748/ This is a special feed containing comments posted to the individual LWN article titled "Removing run-time disabling for SELinux in Fedora". en-us Sun, 21 Sep 2025 07:25:13 +0000 Sun, 21 Sep 2025 07:25:13 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/833174/ https://lwn.net/Articles/833174/ eduperez <div class="FormattedComment"> <font class="QuotedText">&gt; I echo the sentiment, debugging selinux is impossible, unless one is a seasoned selinux expert.</font><br> <p> Part of the issue, IMHO, is that debugging SELinux is often considered as something that any administrator should do: &quot;is some software failing? oh, just add some new rule&quot;.<br> <p> A piece of software that fails because of SELlinux should be considered as a critical bug, in either SELinux or the software.<br> </div> Thu, 01 Oct 2020 09:10:24 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/833173/ https://lwn.net/Articles/833173/ eduperez <div class="FormattedComment"> I am afraid I did not understand any of what you wrote, I am not a SELinux developer. I could be granting full permissions to a piece of malware, and I would not know the difference.<br> </div> Thu, 01 Oct 2020 09:03:08 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/833172/ https://lwn.net/Articles/833172/ eduperez <div class="FormattedComment"> His is exactly my experience, I could not have said it better.<br> </div> Thu, 01 Oct 2020 08:59:02 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832592/ https://lwn.net/Articles/832592/ sub2LWN <div class="FormattedComment"> I agree, it&#x27;s too obscure as a default currently. Oops, I was mistaken too, the centos 7 system I was looking at didn&#x27;t have the policycoreutils-python-2.5 package. I guess the default is that selinux is enabled but there aren&#x27;t any tools to manage it. :o) after updating mandb now that audit2allow is installed, $ cat /etc/redhat-release; whatis audit2allow<br> CentOS Linux release 7.8.2003 (Core)<br> audit2allow (1) - generate SELinux policy allow/dontaudit rules from logs of denied operations<br> <p> Maybe they should call that command &quot;audit2allow-or-dontaudit&quot; since it doesn&#x27;t generate &quot;allow&quot; rules, it generates &quot;allow/dontaudit&quot; rules. My first post was going to be &quot;it&#x27;s not even in the manpages!&quot; but then I checked newer systems and it was there, and it&#x27;s there for some slightly older systems too. Not sure how long the audit2allow manpage has been titled that way.<br> </div> Sat, 26 Sep 2020 06:18:41 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832519/ https://lwn.net/Articles/832519/ mvdwege <div class="FormattedComment"> Oh nice, they added a manpage. That really helps if you don&#x27;t know that dontaudit exists. /sarcasm<br> <p> (I ran into dontaudit when I wanted to use blackhole routing in fail2ban, instead of the default firewalling. Turns out failtoban calls the ip program, and it starts out not having permission to transition to ifconfig_exec_t. Ok, I&#x27;m a seasoned admin, I grep the audit log to make sure I only have fail2ban messages, pipe it to audit2allow, and i get a nice 2 line policy module. Still doesn&#x27;t work. 3 days of banging my head against the wall, I finally find dontaudit. I disable it, and it turns out I need permission to do writes in a domain belonging to netlink. 3 line policy now, and it works.<br> <p> But I see why they disable it. There is lots of code that does the right thing, try something and do something else on failure, instead of test-then-modify, but under SELinux that generates a *hell* of a lot of spurious audit messages)<br> </div> Fri, 25 Sep 2020 16:43:23 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832456/ https://lwn.net/Articles/832456/ jbenc <div class="FormattedComment"> Except for the cases when it doesn&#x27;t work. I did exactly that, installed the generated rule, got no further AVC messages, yet the software in question (a poorly written proprietary cups filter) was still failing. Disabling selinux solved the issue.<br> <p> Now I learned about the dontaudit misfeature from this article (I wonder why it&#x27;s not mentioned in bold in all of those selinux tutorials I found), so maybe it&#x27;s the culprit.<br> <p> I echo the sentiment, debugging selinux is impossible, unless one is a seasoned selinux expert.<br> </div> Fri, 25 Sep 2020 08:02:59 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832443/ https://lwn.net/Articles/832443/ darwi <div class="FormattedComment"> <font class="QuotedText">&gt; The kernel currently prints a message to that effect, but there are plans to make using it even more painful by sleeping for five seconds when it is used.</font><br> <p> This is one of the most childish cr*p I’ve read in a while. Production kernels don’t behave like that.<br> <p> Following down the thread, It’s obvious that it was mentioned that Linus might rightfully get angry about this.<br> </div> Thu, 24 Sep 2020 17:21:21 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832409/ https://lwn.net/Articles/832409/ rahulsundaram <div class="FormattedComment"> If you disable dontaudit, you should always get something in the log<br> <p> <a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-possible_causes_of_silent_denials">https://access.redhat.com/documentation/en-us/red_hat_ent...</a><br> </div> Thu, 24 Sep 2020 13:44:55 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832383/ https://lwn.net/Articles/832383/ rahulsundaram <div class="FormattedComment"> A few tips:<br> <p> Ensure that setroubleshoot-server and policycoreutils-python-utils are installed on your system and take advantage of sealert -l &quot;*&quot;<br> <p> <a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#analyzing-an-already-found-selinux-denial_troubleshooting-problems-related-to-selinux">https://access.redhat.com/documentation/en-us/red_hat_ent...</a><br> <p> If you have setroubleshoot-server installed before any denials happen, you will get an easy to understand log in /var/log/messages<br> <p> <a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-searching_for_and_viewing_denials">https://access.redhat.com/documentation/en-us/red_hat_ent...</a><br> <p> example:<br> <p> setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket. For complete SELinux messages. run sealert -l 8c123656-5dda-4e5d-8791-9e3bd03786b7<br> <p> Running the suggested sealert command will tell you exactly what to do to resolve the problem. In many cases, it is something as simple as toggling a boolean or one liner policy change<br> </div> Thu, 24 Sep 2020 12:59:44 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832382/ https://lwn.net/Articles/832382/ jmclnx <div class="FormattedComment"> But for people just getting exposed to SELinux, it is not a few minutes work.<br> <p> I have spent 3+ days trying to get vnstatd active using &quot;audit2why&quot;, &quot;audit2allow&quot;, &quot;checkmodule&quot;, &quot;semodule_package&quot; and &quot;semodule&quot; (plus many others) and it still fails. <br> <p> I am NOT asking for help on this, but I am pointing out how hard it is to work with SELinux. The documentation is extremely complex and seems one must spend many weeks reading and re-reading docs to even figure out how to do the simplest task.<br> <p> I really want to keep it active, at least I know it can be very useful, but getting items to work is quite hard.<br> </div> Thu, 24 Sep 2020 12:56:39 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832380/ https://lwn.net/Articles/832380/ rwmj What I do is run <code>audit2allow</code> in a terminal, then copy and paste the AVC (SELinux error message) straight into that terminal. It will print the rule that is needed to allow the access, and from there it's usually fairly straightforward to understand what failed. The AVCs can be found in either <code>/var/log/audit/...</code> or <code>ausearch -m avc</code>. <p> As an example this AVC was produced by abrt a month ago: <pre> type=AVC msg=audit(1597179780.871:66254): avc: denied { setattr } for pid=2188952 comm="abrt-action-sav" name="rpmdb.sqlite-shm" dev="dm-1" ino=1051653 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 </pre> and simply pasting that into audit2allow gives me: <pre> #============= abrt_t ============== allow abrt_t var_lib_t:file setattr; </pre> which means that abrt wasn't able to <code>setattr</code> (change the permissions) on a file with the <code>var_lib_t</code> label, which I guess is something in <code>/var/lib</code>. <p> Note that I am definitely no expert on SELinux. If I was really concerned about this I'd file a BZ against selinux-policy and get the experts to look into it. Thu, 24 Sep 2020 12:40:59 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832379/ https://lwn.net/Articles/832379/ bkw1a <div class="FormattedComment"> I&#x27;ve gone through this many times (basically with every new CentOS version): I start out with the intention of leaving selinux on. Something is broken, so I use the logs or audit2allow to make adjustments to the selinux configuation. Things work again, until I run into another problem and repeat. But eventually I get to something that&#x27;s broken and gives me no log messages that point to any problem. After banging my head against the wall for a while, it eventually occurs to me that I should try disabling selinux. I do, and the problem goes away.<br> <p> If I could rely on selinux always giving me useful log information when it blocks something, I&#x27;d be fine with using it. But as long as it continues to inexplicably break things sometimes, I can&#x27;t trust it in production.<br> <p> </div> Thu, 24 Sep 2020 12:40:08 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832376/ https://lwn.net/Articles/832376/ rahulsundaram <div class="FormattedComment"> I would recommend watching<br> <p> <a href="https://www.youtube.com/watch?v=_WOKRaM-HI4">https://www.youtube.com/watch?v=_WOKRaM-HI4</a><br> <p> </div> Thu, 24 Sep 2020 12:21:52 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832367/ https://lwn.net/Articles/832367/ michich <div class="FormattedComment"> You don&#x27;t have to make the whole system permissive. You can set permissive domains - <a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-permissive_domains">https://access.redhat.com/documentation/en-us/red_hat_ent...</a><br> </div> Thu, 24 Sep 2020 11:16:24 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832360/ https://lwn.net/Articles/832360/ james Couple of minutes' work, maybe? And, in my experience, the resulting rules are comprehensible, showing you what you are allowing and giving you a chance to check that the program does actually need that access. <p> The example given in the documentation is <pre>allow certwatch_t var_t:dir write;</pre> which is pretty clear even if you aren't very familiar with SELinux. <p> Also, SELinux in Fedora/CentOS mostly restricts sensitive OS-type programs: big user programs like LibreOffice are extremely unlikely to encounter problems. <p> (I wonder how many counter-examples I'm going to get...) Thu, 24 Sep 2020 10:41:35 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832362/ https://lwn.net/Articles/832362/ hei8483j <div class="FormattedComment"> If you still can turn on permissive mode, then it is a non-issue. I have never had to turn off SELinux. Permissive mode is mainly needed when creating new rules for proprietary software that doesn&#x27;t behave.<br> </div> Thu, 24 Sep 2020 10:25:43 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832357/ https://lwn.net/Articles/832357/ ragnar <div class="FormattedComment"> So if there are some hidden malware running on my machine I have now given it permission to do whatever nefarious things it wants to do anyway? How is that better than just disabling SELinux?<br> <p> It is also still pretty user hostile for people not well versed in SELinux.<br> </div> Thu, 24 Sep 2020 09:36:11 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832354/ https://lwn.net/Articles/832354/ ragnar <div class="FormattedComment"> That is at least encouraging that it is possible to fix problems. But from the examples on that page it is still really difficult to understand more than &quot;access was denied&quot;.<br> </div> Thu, 24 Sep 2020 09:30:15 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832356/ https://lwn.net/Articles/832356/ LtWorf <div class="FormattedComment"> You should run it in permissive mode and then add rules to all the audits that were generated and then disable permissive mode.<br> </div> Thu, 24 Sep 2020 09:22:05 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832355/ https://lwn.net/Articles/832355/ MKesper <div class="FormattedComment"> That&#x27;s still much work, though, sadly.<br> </div> Thu, 24 Sep 2020 09:08:57 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832348/ https://lwn.net/Articles/832348/ rwmj <div class="FormattedComment"> For future reference, use audit2allow: <a href="https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html">https://docs.fedoraproject.org/en-US/Fedora/22/html/SELin...</a><br> <p> It&#x27;s actually pretty straightforward to at least find out what rule needs to be added, and you can either add it temporarily to your machine or submit a BZ to get it permanently fixed in the distribution.<br> </div> Thu, 24 Sep 2020 08:03:13 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832346/ https://lwn.net/Articles/832346/ ragnar <div class="FormattedComment"> The difficulty of debugging issues is a big problem of SELinux. But an even bigger problem with SELinux is that when you find an issue there doesn&#x27;t seem to be any way to fix it other than disabling SELinux unless you are a seasoned SELinux expert. At least I haven&#x27;t found any material on how to easily fix rules myself and the article indicates that most other people also just disable SELinux at first sign of an issue.<br> </div> Thu, 24 Sep 2020 06:44:57 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832343/ https://lwn.net/Articles/832343/ madhatter I don't know that we'll get as far as systems shipping with an "SELinux foghorn", to be sounded when important denies occur. But when in their manual (linked above) RH write: <p> <cite>The downside of dontaudit is that, although SELinux denies access, denial messages are not logged, making troubleshooting more difficult. </cite> <p> I think they rather understate the issue ("<i>The downside of using explosives for surface preparation is that the building may well collapse, making repainting the interior walls more difficult</i>"). Thu, 24 Sep 2020 05:24:33 +0000 Removing run-time disabling for SELinux in Fedora https://lwn.net/Articles/832301/ https://lwn.net/Articles/832301/ sub2LWN <div class="FormattedComment"> &quot;dontaudit&quot; has made its way into manpages on Fedora 32 and RHEL 8: man 8 semanage-dontaudit; Programs which tell users to disable SELinux are like ones which recommend disabling any firewall instead of adjusting rules. Counter to &quot;dontaudit&quot;, I wonder if anyone has proposed a &quot;loudlyaudit&quot; for denials too important to merely have in the audit log or the AVC pop-up in the GUI case. :-)<br> </div> Wed, 23 Sep 2020 18:38:48 +0000