I am running Fedora atomic server 29 and start to see weird behaviors due
to SELinux since a few days. I did everything I could to fix issues with
audit2allow, sealert and audit2why (logs are empty of alerts). Some issues
are still here. One example below:
-----------------------------
% rpm-ostree status
error: An SELinux policy prevents this sender from sending this message to
this recipient, 0 matched rules; type="method_call", sender=":1.90" (uid=0
pid=1731 comm="/usr/bin/rpm-ostree status "
label="sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023")
interface="org.projectatomic.rpmostree1.Sysroot" member="RegisterClient"
error name="(unset)" requested_reply="0"
destination="org.projectatomic.rpmostree1" (uid=0 pid=1734
comm="/usr/bin/rpm-ostree start-daemon "
label="system_u:system_r:install_t:s0")
---------------------------------------------------------------
NOTE: I ssh the machine.
A few settings if it can help:
----------------------
gab@poppy➤➤ ~ % id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
gab@poppy➤➤ ~ % semanage login -l
ValueError: SELinux policy is not managed or store cannot be accessed.
root@poppy➤➤ ~ # semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
gab sysadm_u s0-s0:c0.c1023 *
root system_u s0-s0:c0.c1023 *
gab@poppy➤➤ ~ % sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
gab@poppy➤➤ ~ # cat /etc/sudoers.d/gab
gab ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
gab@poppy➤➤ ~ # ls -alZ /etc/sudoers.d/
total 24
drwxr-x---. 2 root root system_u:object_r:etc_t:s0 42 Aug 31 15:05 .
drwxr-xr-x. 90 root root system_u:object_r:etc_t:s0 8192 Aug 31 17:09 ..
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 71 Aug 31 14:42
gab
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 72 Aug 31 15:04
gabx
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 120 Aug 12 11:53
louis
No more alerts:
gab@poppy➤➤ ~ % sealert -b
/usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the
GLib main loop with dbus-python is deprecated.
Instead, use this sequence:
from dbus.mainloop.glib import DBusGMainLoop
DBusGMainLoop(set_as_default=True)
import dbus.glib
gab@poppy➤➤ ~ %
-----------------------------------------------
What can I do to fix the ostree status and more globally fix any SELinux
remaing issues. The server has yet to be set up and I don't want to go
ahead with lying around issues.
Thank you for help.