SELINUXTYPE
by Henry Zhang
Hi Folks,
Why does Fedora select SELINUXTYPE=target?
SELinux offers options:
# SELINUXTYPE= can take one of these values:
# minimum - Minimum Security protection.
# standard - Standard Security protection.
# mls - Multi Level Security protection.
# targeted - Targeted processes are protected.
# mcs - Multi Category Security protection.
Thanks.
---henry
3 months
selinux in linux kernel
by Henry Zhang
Hi folks,
I downloaded the linux kernel and see linux-6.4/security/selinux
subdirectory.
Here is my question:
I want to use the newer version of Linux kernel.
What should I do for my current selinux utility and policies etc to match
the newer version of the linux kernel?
---henry
3 months
How do I find the process triggering the SELinux alert?
by Marius Ghita
I have the following audit message
Raw Audit Messages
type=AVC msg=audit(1687022594.74:347): avc: denied { mmap_zero } for
pid=3953 comm="check" scontext=system_u:system_r:spc_t:s0
tcontext=system_u:system_r:spc_t:s0 tclass=memprotect permissive=0
This warning gets triggered from time to time around system startup, and I
cannot find the process involved. The name check is too generic to use the
locate command and the process is no longer running by the time I would
have the chance to peek at the PID.
Thanks.
3 months, 1 week
Re: difference between setfiles and restorecon
by Henry Zhang
mcs is used in my custom board.
I am asking for some common knowledge on how to use setfiles and restorecon
here.
On Tue, Jun 13, 2023 at 8:53 AM Casper <fantom(a)fedoraproject.org> wrote:
> I guess that path is *not* correct (or even the file itself):
>
> /etc/selinux/mcs/contexts/files/file_contexts
>
> This file is *not* provided by the mcstrans rpm. Why did you used it
> instead of /etc/selinux/targeted/contexts/files/file_contexts ?
>
> Where does it come from?
>
> Henry Zhang a écrit :
> > Vit,
> > I can do it with:
> > setfiles -v /etc/selinux/mcs/contexts/files/file_contexts
> /home/root/yolo
> >
> > Relabeled /home/root/yolo from root:object_r:unlabeled_t:s0 to
> > root:object_r:user_home_t:s0
> >
> > when I use "restorecon -R -v /home/root/yolo"
> > Relabeled /sysroot/home/root/yolo from root:object_r:user_home_t:s0 to
> > root:object_r:root_home_t:s0
> >
> > setfiles relabels yolo back to user_home_t
> > and
> > restorecon relabels yolo back to root_home_t
> >
> > Should setfiles or restorecon be used for me?
> >
> > ---henry
> > On Mon, Jun 12, 2023 at 11:59 PM Vit Mojzis <[1]vmojzis(a)redhat.com>
> wrote:
> >
> > > On 6/12/23 17:20, Henry Zhang wrote:
> >
> > >> Vit,
> > >> Thanks for the links.
> > >> I can use restorecon to recover to default value if file content is
> > >> changed by the chcon command.
> > >> But setfiles does nothing when the file is changed by chcon.
> > >> May I change something and let setfiles recover it?
> >
> > > Sure. But you need to specify the full path (unlike when using
> > > restorecon, which uses "realpath" to get the full path on its own).
> >
> > > $ touch yolo
> > > $ ls -lZ
> > > total 0
> > > -rw-r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Jun
> 12
> > > 13:05 yolo
> > > # chcon -t unlabeled_t yolo
> > > $ ls -lZ
> > > total 0
> > > -rw-r--r--. 1 root root unconfined_u:object_r:unlabeled_t:s0 0 Jun
> 12
> > > 13:05 yolo
> > > # setfiles -v /etc/selinux/targeted/contexts/files/file_contexts
> > > /home/testuser/yolo
> > > Relabeled /home/testuser/yolo from
> unconfined_u:object_r:unlabeled_t:s0
> > > to unconfined_u:object_r:user_home_t:s0
> >
> > > Vit
> >
> > >> ---henry
> > >> On Mon, Jun 12, 2023 at 6:15 AM Vit Mojzis <[2]vmojzis(a)redhat.com>
> > >> wrote:
> >
> > >>> Hi,
> > >>> let me walk you through the steps to find this info on your own.
> >
> > >>> # dnf provides setfiles
> > >>> policycoreutils-3.3-4.fc36.x86_64 : SELinux policy core utilities
> > >>> # dnf provides restorecon
> > >>> policycoreutils-3.3-4.fc36.x86_64 : SELinux policy core utilities
> >
> > >>> So both utilities are shipped as part of policycoreutils package.
> > >>> The package is build from the following repository:
> > >>> [3]https://src.fedoraproject.org/rpms/policycoreutils
> > >>> The spec file
> > >>> ([4]
> https://src.fedoraproject.org/rpms/policycoreutils/blob/rawhide/f/policyc...
> )
> > >>> shows that the source code repository is
> > >>> [5]https://github.com/SELinuxProject/selinux
> >
> > >>> $ git clone [6]https://github.com/SELinuxProject/selinux ; cd
> selinux
> > >>> $ find -name setfiles.c
> > >>> ./policycoreutils/setfiles/setfiles.c
> >
> > >>> This is actually the source file for both tools. Their behavior
> > >>> changes
> > >>> based on the executable name
> > >>> [7]
> https://github.com/SELinuxProject/selinux/blob/main/policycoreutils/setfi...
> >
> > >>> Hope this helps,
> > >>> Vit
> >
> > >>> On 6/8/23 20:01, Henry Zhang wrote:
> > >>> > Hi folks,
> > >>> >
> > >>> > I want to know the difference between setfiles and restorecon.
> > >>> > Where can I get source codes of setfiles and restorecon?
> > >>> >
> > >>> > ---henry
> > >>> >
> > >>> > _______________________________________________
> > >>> > selinux mailing list -- [8]selinux(a)lists.fedoraproject.org
> > >>> > To unsubscribe send an email to
> > >>> [9]selinux-leave(a)lists.fedoraproject.org
> > >>> > Fedora Code of Conduct:
> > >>> [10]https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > >>> > List Guidelines:
> > >>> [11]https://fedoraproject.org/wiki/Mailing_list_guidelines
> > >>> > List Archives:
> > >>> [12]
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> > >>> > Do not reply to spam, report it:
> > >>> [13]https://pagure.io/fedora-infrastructure/new_issue
> > >>> _______________________________________________
> > >>> selinux mailing list -- [14]selinux(a)lists.fedoraproject.org
> > >>> To unsubscribe send an email to
> > >>> [15]selinux-leave(a)lists.fedoraproject.org
> > >>> Fedora Code of Conduct:
> > >>> [16]https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > >>> List Guidelines:
> > >>> [17]https://fedoraproject.org/wiki/Mailing_list_guidelines
> > >>> List Archives:
> > >>> [18]
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> > >>> Do not reply to spam, report it:
> > >>> [19]https://pagure.io/fedora-infrastructure/new_issue
> >
> > References
> >
> > Visible links
> > 1. mailto:vmojzis@redhat.com
> > 2. mailto:vmojzis@redhat.com
> > 3. https://src.fedoraproject.org/rpms/policycoreutils
> > 4.
> https://src.fedoraproject.org/rpms/policycoreutils/blob/rawhide/f/policyc...
> > 5. https://github.com/SELinuxProject/selinux
> > 6. https://github.com/SELinuxProject/selinux
> > 7.
> https://github.com/SELinuxProject/selinux/blob/main/policycoreutils/setfi...
> > 8. mailto:selinux@lists.fedoraproject.org
> > 9. mailto:selinux-leave@lists.fedoraproject.org
> > 10. https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > 11. https://fedoraproject.org/wiki/Mailing_list_guidelines
> > 12.
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> > 13. https://pagure.io/fedora-infrastructure/new_issue
> > 14. mailto:selinux@lists.fedoraproject.org
> > 15. mailto:selinux-leave@lists.fedoraproject.org
> > 16. https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > 17. https://fedoraproject.org/wiki/Mailing_list_guidelines
> > 18.
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> > 19. https://pagure.io/fedora-infrastructure/new_issue
>
> > _______________________________________________
> > selinux mailing list -- selinux(a)lists.fedoraproject.org
> > To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> > Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
>
> --
> GnuPG: AE157E0B29F0BEF2 at keys.openpgp.org
> CA Cert: https://dl.casperlefantom.net/pub/ssl/root.der
> Jabber/XMPP Messaging: casper(a)casperlefantom.net
>
3 months, 2 weeks
Trying to set context on a FIFO for nut_upsmon_t process
by Robert Nichols
SELinux is not allowing me to set the needed context on a FIFO that will be written by a nut_upsmon_t process. Runnin sesearch to find suitable types yields:
allow nut_upsmon_t nut_upsmon_t:fifo_file { append getattr ioctl lock open read write };
But, when I try to run "chcon -t nut_upsmon_t /path/to/fifo" I get "permission denied" and an SELinux alert than complains
If you want to change the label of .alertFIFO2 to nut_upsmon_t, you are not allowed to since it is not a valid file type.
Then you must pick a valid file label.
Do
select a valid file type. List valid file labels by executing:
# seinfo -afile_type -x
That returns info for files, not FIFOs.
Once again, SELinux is causing me more problems than any virus would.
3 months, 3 weeks
semodule and fixfiles
by Henry Zhang
Zdenek,
fixfiles are used for relabeling.
Relabel hints the system was labeled before.
But when the system is labeled initially?
In which cases
1. semodule should be called?
2. fixfiles should be executed?
Thanks.
----henry
3 months, 3 weeks
arch=c00000b7 syscall=35
by Henry Zhang
Hi folks,
I want to analyze audit.log and see
arch=c00000b7 syscall=35
Where can I find what c00000b7 and 35 mean respectively for arm64 device?
Thanks.
---henry
3 months, 4 weeks
find context of the command process
by Henry Zhang
Hi folks,
It is hard to list a context of a process.
For example:
ps -ZC ls
or ps -ZC tar
only "ps -ZC sleep" returns context of the sleep process.
# ps -ZC sleep
LABEL PID TTY TIME CMD
system_u:system_r:initrc_t:s0 11744 ? 00:00:00 sleep
system_u:system_r:initrc_t:s0 13006 ?
00:00:00 sleep
system_u:system_r:initrc_t:s0 14087 ? 00:00:00 sleep
Any suggestions?
--henry
3 months, 4 weeks