selinux-policy-contrib repository merged with selinux-policy
by Zdenek Pytela
Hello,
On November 25th, 2020, the selinux-policy-contrib repository was merged
with selinux-policy.
SELinux policy packages in Fedora used 2 repositories previously: base [1]
and contrib [2].
From now on, these repos are merged into one, containing sources from both
[1].
The change affected both repos, rawhide branches and future branches f34
and newer.
Refer to [3] for more information. A few minor issues remain requiring some
polishing.
Other changes will follow soon. We plan to include new classes,
permissions, and capabilities into the policy, they will be announced in
advance.
[1] https://github.com/fedora-selinux/selinux-policy/
[2] https://github.com/fedora-selinux/selinux-policy-contrib/
[3] https://github.com/fedora-selinux/selinux-policy/README.md
--
Zdenek Pytela
SELinux policy maintainer
3 years
- 1
- 0
Inputs for error " libselinux.so.1: cannot open shared object file:
No such file or directory "
by Ashish Mishra
Hi All ,
I am trying to get the SELINUX on one of our evaluation boards (MIPS based).
The SDK running is custom makefile based & kernel is linux-4.9 series.
1) To get the selinux , i have enabled the kernel configuration w.r.t SELINUX
I can see the entry created under /sys folder
~ # ls /sys/fs/selinux/
2) But when i run command of selinux like selinuxenabled , i am getting
Error message of :
selinuxenabled: error while loading shared libraries:
libselinux.so.1: cannot open shared object file: No such file or
directory
But i can see the library at /lib folder
~ # find / -name libselinux
~ # find / -name 'libselinux*'
/lib/libselinux.so
/lib/libselinux.so.1
Can members please provide any input as to which package is missing
here or probable areas to look to solve the problem.
Idea was to build a selinux setup
Thanks ,
Ashish
3 years
- 1
- 1
Failed to start Udev Kernel device manager
by Ashish Mishra
Hi Team ,
I am trying to understand the selinux policy aspect by adding the
reference policy
https://github.com/SELinuxProject/selinux
Creating the default policy , i am getting "Failed to start udev
Kernel Device manager"
I tried generating monolithic & modular both policies but the behavior
is the same.
Can members please share any debug point / inputs to understand the behaviour .
Attached along is the error snapshot.
I am trying to get the reference policy as part of proof of concept
for another project.
Hence I was using fedora as a base reference for our work .
Thanks ,
Ashish
3 years
- 1
- 0
Re: SELinux + FUSE + Podman + rclone +gdrive = ???
by Lukas Vrabec
On 10/28/20 10:46 AM, Chris S wrote:
> Howdy folks!
>
> Have an interesting concoction of technologies mixed together and have
> found myself in a pickle.
>
> Currently I have a host that has pods with containers. From the host I
> am using rclone hooked up to Google Drive (and fuse mounted).
>
> When looking at the directory I have mounted with rclone you see the
> following SELinux label:
>
> system_u:object_r:fusefs_t:s0
>
>
> Trying to relabel this with chcon does not work (probably expected)
> getting permission denied.
>
>
> When mounting the volume into the container with :z exhibits similar
> behavior:
>
> Error: relabel failed "/gdrive": operation not supported
>
>
> I then bash into a test CentOS container with the volume mapped in
> (without the labeling :z) and attempt to touch a file to generate an
> audit alert:
>
> sudo grep touch /var/log/audit/audit.log
>
> type=AVC msg=audit(1603873529.524:951948): avc: denied { write }
> for pid=2226162 comm="touch" name="gdrive" dev="dm-0" ino=2359297
> scontext=system_u:system_r:container_t:s0:c296,c525
> tcontext=system_u:object_r:container_file_t:s0:c332,c605 tclass=dir
> permissive=0
>
>
> After finding the event, I attempt to pipe this into audit2allow:
>
> grep touch /var/log/audit/audit.log | audit2allow -R -M gdrive_allow
>
>
> I then ran into this error:
>
> could not open interface info [/var/lib/sepolgen/interface_info]
>
>
> At which point I installed sepolgen-ifge - I then re-ran the
> audit2allow command.
>
>
> This is where I get some interesting behavior:
>
> compilation failed:
> find: ‘thinclient_drives’: Permission denied
> /usr/share/selinux/devel/include/services/container.if:13: Error:
> duplicate definition of container_runtime_domtrans(). Original
> definition on 13.
> /usr/share/selinux/devel/include/services/container.if:40: Error:
> duplicate definition of container_runtime_run(). Original definition
> on 40.
> /usr/share/selinux/devel/include/services/container.if:60: Error:
> duplicate definition of container_runtime_exec(). Original
> definition on 60.
> /usr/share/selinux/devel/include/services/container.if:79: Error:
> duplicate definition of container_read_state(). Original definition
> on 79.
> /usr/share/selinux/devel/include/services/container.if:97: Error:
> duplicate definition of container_search_lib(). Original definition
> on 97.
> /usr/share/selinux/devel/include/services/container.if:116: Error:
> duplicate definition of container_exec_lib(). Original definition on
> 116.
> /usr/share/selinux/devel/include/services/container.if:135: Error:
> duplicate definition of container_read_lib_files(). Original
> definition on 135.
> /usr/share/selinux/devel/include/services/container.if:154: Error:
> duplicate definition of container_read_share_files(). Original
> definition on 154.
> /usr/share/selinux/devel/include/services/container.if:175: Error:
> duplicate definition of container_runtime_read_tmpfs_files().
> Original definition on 175.
> /usr/share/selinux/devel/include/services/container.if:196: Error:
> duplicate definition of container_manage_share_files(). Original
> definition on 196.
> /usr/share/selinux/devel/include/services/container.if:217: Error:
> duplicate definition of container_manage_share_dirs(). Original
> definition on 217.
> /usr/share/selinux/devel/include/services/container.if:237: Error:
> duplicate definition of container_exec_share_files(). Original
> definition on 237.
> /usr/share/selinux/devel/include/services/container.if:255: Error:
> duplicate definition of container_manage_config_files(). Original
> definition on 255.
> /usr/share/selinux/devel/include/services/container.if:274: Error:
> duplicate definition of container_manage_lib_files(). Original
> definition on 274.
> /usr/share/selinux/devel/include/services/container.if:294: Error:
> duplicate definition of container_manage_files(). Original
> definition on 294.
> /usr/share/selinux/devel/include/services/container.if:313: Error:
> duplicate definition of container_manage_dirs(). Original definition
> on 313.
> /usr/share/selinux/devel/include/services/container.if:331: Error:
> duplicate definition of container_manage_lib_dirs(). Original
> definition on 331.
> /usr/share/selinux/devel/include/services/container.if:367: Error:
> duplicate definition of container_lib_filetrans(). Original
> definition on 367.
> /usr/share/selinux/devel/include/services/container.if:385: Error:
> duplicate definition of container_read_pid_files(). Original
> definition on 385.
> /usr/share/selinux/devel/include/services/container.if:404: Error:
> duplicate definition of container_systemctl(). Original definition
> on 404.
> /usr/share/selinux/devel/include/services/container.if:429: Error:
> duplicate definition of container_rw_sem(). Original definition on 429.
> /usr/share/selinux/devel/include/services/container.if:448: Error:
> duplicate definition of container_append_file(). Original definition
> on 448.
> /usr/share/selinux/devel/include/services/container.if:466: Error:
> duplicate definition of container_use_ptys(). Original definition on
> 466.
> /usr/share/selinux/devel/include/services/container.if:484: Error:
> duplicate definition of container_filetrans_named_content().
> Original definition on 484.
> /usr/share/selinux/devel/include/services/container.if:537: Error:
> duplicate definition of container_stream_connect(). Original
> definition on 546.
> /usr/share/selinux/devel/include/services/container.if:558: Error:
> duplicate definition of container_spc_stream_connect(). Original
> definition on 567.
> /usr/share/selinux/devel/include/services/container.if:579: Error:
> duplicate definition of container_admin(). Original definition on 588.
> /usr/share/selinux/devel/include/services/container.if:626: Error:
> duplicate definition of container_auth_domtrans(). Original
> definition on 635.
> /usr/share/selinux/devel/include/services/container.if:645: Error:
> duplicate definition of container_auth_exec(). Original definition
> on 654.
> /usr/share/selinux/devel/include/services/container.if:664: Error:
> duplicate definition of container_auth_stream_connect(). Original
> definition on 673.
> /usr/share/selinux/devel/include/services/container.if:683: Error:
> duplicate definition of container_runtime_typebounds(). Original
> definition on 692.
> /usr/share/selinux/devel/include/services/container.if:702: Error:
> duplicate definition of container_runtime_entrypoint(). Original
> definition on 711.
> /usr/share/selinux/devel/include/services/container.if:709: Error:
> duplicate definition of docker_exec_lib(). Original definition on 718.
> /usr/share/selinux/devel/include/services/container.if:713: Error:
> duplicate definition of docker_read_share_files(). Original
> definition on 722.
> /usr/share/selinux/devel/include/services/container.if:717: Error:
> duplicate definition of docker_exec_share_files(). Original
> definition on 726.
> /usr/share/selinux/devel/include/services/container.if:721: Error:
> duplicate definition of docker_manage_lib_files(). Original
> definition on 730.
> /usr/share/selinux/devel/include/services/container.if:726: Error:
> duplicate definition of docker_manage_lib_dirs(). Original
> definition on 735.
> /usr/share/selinux/devel/include/services/container.if:730: Error:
> duplicate definition of docker_lib_filetrans(). Original definition
> on 739.
> /usr/share/selinux/devel/include/services/container.if:734: Error:
> duplicate definition of docker_read_pid_files(). Original definition
> on 743.
> /usr/share/selinux/devel/include/services/container.if:738: Error:
> duplicate definition of docker_systemctl(). Original definition on 747.
> /usr/share/selinux/devel/include/services/container.if:742: Error:
> duplicate definition of docker_use_ptys(). Original definition on 751.
> /usr/share/selinux/devel/include/services/container.if:746: Error:
> duplicate definition of docker_stream_connect(). Original definition
> on 755.
> /usr/share/selinux/devel/include/services/container.if:750: Error:
> duplicate definition of docker_spc_stream_connect(). Original
> definition on 759.
> /usr/share/selinux/devel/include/services/container.if:764: Error:
> duplicate definition of container_spc_read_state(). Original
> definition on 773.
> /usr/share/selinux/devel/include/services/container.if:783: Error:
> duplicate definition of container_runtime_domain_template().
> Original definition on 792.
> /usr/share/selinux/devel/include/services/container.if:819: Error:
> duplicate definition of container_domain_template(). Original
> definition on 828.
> /usr/share/selinux/devel/include/services/container.if:847: Error:
> duplicate definition of container_spc_rw_pipes(). Original
> definition on 856.
> Compiling targeted gdrive_allow module
> gdrive_allow.te:15:ERROR 'syntax error' at token 'mlsconstrain' on
> line 3339:
> # mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-)
> or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
> mlsconstrain dir { write setattr append unlink link rename add_name
> remove_name } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type
> -Fail-) ); Constraint DENIED
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [/usr/share/selinux/devel/include/Makefile:157:
> tmp/gdrive_allow.mod] Error 1
>
>
> What stands out here is *gdrive_allow.te:15:ERROR 'syntax error' at
> token 'mlsconstrain' on line 3339*
> This leads me to believe that audit2allow is not equip to handle this
> kind of rule - specifically:
>
> policy_module(gdrive_allow, 1.0)
>
>
> require {
>
> type container_file_t;
>
> type container_t;
>
> class dir write;
>
> }
>
>
> #============= container_t ==============
>
>
> #!!!! This avc is a constraint violation. You would need to modify
> the attributes of either the source or target types to allow this
> access.
>
> #Constraint rule:
>
> #mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-) or
> (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
>
> mlsconstrain dir { write setattr append unlink link rename add_name
> remove_name } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type
> -Fail-) ); Constraint DENIED
>
> mlsconstrain dir { relabelfrom } ((h1 dom h2 -Fail-) or (t1 !=
> mcs_constrained_type -Fail-) ); Constraint DENIED
>
> mlsconstrain dir { create relabelto } ((h1 dom h2 -Fail-) or (t1 !=
> mcs_constrained_type -Fail-) ); Constraint DENIED
>
>
> #Possible cause is the source level (s0:c296,c525) and target level
> (s0:c332,c605) are different.
>
> allow container_t container_file_t:dir write;
>
> *
> *
> At the current point in time, I am at a stand still as I cannot relabel
> the source. Any help would be extremely appreciated - I refuse to turn
> SELinux off hehe :)
>
> CentOS Linux release 8.2.2004 (Core)
>
> 4.18.0-193.19.1.el8_2.x86_64
>
> podman version 1.6.4
>
> container-selinux-2.124.0-1.module_el8.2.0+305+5e198a41.noarch
>
> policycoreutils-devel-2.9-9.el8.x86_64
>
> selinux-policy-devel-3.14.3-41.el8_2.6.noarch
>
>
Hello,
Did you mount /gdrive to some previous container? Because it was
relabeled to correct SELinux type: container_file_t but it gets also
concrete MCS categories "c332,c605", now, you're trying to access the
volume but with different container with different unique categories
"c296,c525".
It's expected that each container has same type "container_t" but unique
categories.
To make it working, you need to label /gdrive as container_file_t but
with *NO* category. You can use restorecon and chcon commands, problem
is that you see permission denied. Do you execute these commands with
root privileges?
Thanks,
Lukas.
>
> Regards,
>
> Christopher
>
>
>
>
>
>
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.
3 years, 1 month
- 1
- 0
- ← Newer
- 1
- Older →