selinux June 2023

selinux@lists.fedoraproject.org

11 participants
14 discussions

SELinux is preventing systemd-tmpfile from using the sys_resource capability.
by Manfred Lotz 23 Apr '25

23 Apr '25

Hi there, Running Fedora 31 and SELinux still in permissive mode I got SELinux is preventing systemd-tmpfile from using the sys_resource capability. ***** Plugin sys_resource (91.4 confidence) suggests ********************** If you do not want processes to require capabilities to use up all the system resources on your syste> Then you need to diagnose why your system is running out of system resources and fix the problem. According to /usr/include/linux/capability.h, sys_resource is required to: /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ Do fix the cause of the SYS_RESOURCE on your system. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that systemd-tmpfile should have the sys_resource capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-tmpfile' --raw | audit2allow -M my-systemdtmpfile # semodule -X 300 -i my-systemdtmpfile.pp I also see type=AVC msg=audit(1569414241.452:321): avc: denied { sys_resource } for pid=17409 comm="systemd-tmpfile" capability=24 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1569414241.452:322): avc: denied { setrlimit } for pid=17409 comm="systemd-tmpfile" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process permissive=1 I have to admit I don't know how to judge this. Before I do anything here I like to understand. -- Manfred

3 3

Not possible to specify smtp password for setroubleshootd?
by Matt Kinni 09 Jun '24

09 Jun '24

Hello, I run a Fedora 35 server and would like setroubleshootd to send email alerts for avc denials, but I'm having trouble configuring this due to the apparent lack of support for configuring an smtp password. The out of the box setroubleshoot.conf sets > smtp_host = localhost > smtp_port = 25 > from_address = SELinux_Troubleshoot , but there is no config parameter for smtp password. For this to actually work on a machine acting as an MTA (I have postfix running locally), the mail server would have to be configured to allow unauthenticated port 25 connections to masquerade as any local system user, which no decent postfix setup would allow. I am not a python programmer, but in my reading of https://pagure.io/setroubleshoot/blob/main/f/framework/src/setroubleshoot/e…, it doesn't appear there is any built in way to support authenticated email sending despite the underlying smtplib being able to do it. I would suggest either a) adding password support for smtplib, or/and b) adding an option to send mail using the sendmail binary, which allows postfix to recognize the running user without any password needed. Has anyone else run into problems deploying the setroubleshootd email alerts in practice? email_alert.py appears simple enough to hack in password support, but I feel a security oriented project like selinux shouldn't require an insecure mail setup in order to send its alerts. Any tips are welcome, Thanks, Matt

2 4

get rid of setenforce
by Henry Zhang 09 Jun '24

09 Jun '24

Hi folks, setenforce allows users to swap selinux mode between enforcing and permissive. If I want my selinux to stay in enforcing mode forever so that nobody is able to interfere with my selinux. What should I do? Thanks. ---henry

5 13

certmonger post-save scripts & certmonger_unconfined_t domain
by Sam Morris 06 Jun '24

06 Jun '24

Certmonger allows for the configuration of a post-save command to be run after it has obtained new certificates. This can be used to copy the key & certificates out of wherever certmonger is allowed to put them, and save them elsewhere with a particular owner/group, combine the certificate & chain into a single file as required by some software, etc. The problem comes with SELinux which prevents my post-save scripts from being able to do all of that. I thought the solution was to give the scripts the context of certmonger_unconfined_exec_t, which would cause a transition to the certmonger_unconfined_t domain which is as its name suggests unconfined; but I can't get this to work. I'm trying to use runcon to simulate certmonger executing a fake script: # cat /tmp/fakescript #!/bin/bash set -eu id -Z # /tmp/fakescript unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # ls -Z /tmp/fakescript unconfined_u:object_r:certmonger_unconfined_exec_t:s0 /tmp/fakescript # runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript runcon: ‘/tmp/fakescript’: Permission denied Here is the avc denial: ---- type=PROCTITLE msg=audit(27/04/21 16:16:47.156:153492) : proctitle=runcon system_u:system_r:certmonger_t:s0 /tmp/fakescript type=SYSCALL msg=audit(27/04/21 16:16:47.156:153492) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffd8aa768ab a1=0x7ffd8aa75888 a2=0x7ffd8aa75898 a3=0x0 items=0 ppid=177795 pid=177796 auid=sam.admin uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=103 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(27/04/21 16:16:47.156:153492) : avc: denied { entrypoint } for pid=177796 comm=runcon path=/tmp/fakescript dev="dm-0" ino=33563064 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:certmonger_unconfined_exec_t:s0 tclass=file permissive=0 Even though: # sepolicy transition -s certmonger_t -t certmonger_unconfined_t certmonger_t @ certmonger_unconfined_exec_t --> certmonger_unconfined_t Diving in a little deeper, I can see that certmonger can execute the file: # sesearch -s certmonger_t -t certmonger_unconfined_exec_t -c file -p execute -A allow certmonger_t certmonger_unconfined_exec_t:file { execute execute_no_trans getattr ioctl map open read }; ... and that the file type is an entrypoint for the certmonger_unconfined_t domain: # sesearch -s certmonger_unconfined_t -t certmonger_unconfined_exec_t -c file -p entrypoint -A allow certmonger_unconfined_t certmonger_unconfined_exec_t:file { entrypoint execute getattr ioctl lock map open read }; ... and that transition is permitted from certmonger_t: # sesearch -s certmonger_t -t certmonger_unconfined_t -c process -p transition -A allow certmonger_t certmonger_unconfined_t:process transition; Which leaves me scratching my head, unsure why it doesn't work in practice... -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9

2 4

SELINUXTYPE
by Henry Zhang 28 Jun '23

28 Jun '23

Hi Folks, Why does Fedora select SELINUXTYPE=target? SELinux offers options: # SELINUXTYPE= can take one of these values: # minimum - Minimum Security protection. # standard - Standard Security protection. # mls - Multi Level Security protection. # targeted - Targeted processes are protected. # mcs - Multi Category Security protection. Thanks. ---henry

3 2

selinux in linux kernel
by Henry Zhang 26 Jun '23

26 Jun '23

Hi folks, I downloaded the linux kernel and see linux-6.4/security/selinux subdirectory. Here is my question: I want to use the newer version of Linux kernel. What should I do for my current selinux utility and policies etc to match the newer version of the linux kernel? ---henry

1 0

How do I find the process triggering the SELinux alert?
by Marius Ghita 20 Jun '23

20 Jun '23

I have the following audit message Raw Audit Messages type=AVC msg=audit(1687022594.74:347): avc: denied { mmap_zero } for pid=3953 comm="check" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=memprotect permissive=0 This warning gets triggered from time to time around system startup, and I cannot find the process involved. The name check is too generic to use the locate command and the process is no longer running by the time I would have the chance to peek at the PID. Thanks.

4 3

Re: difference between setfiles and restorecon
by Henry Zhang 13 Jun '23

13 Jun '23

mcs is used in my custom board. I am asking for some common knowledge on how to use setfiles and restorecon here. On Tue, Jun 13, 2023 at 8:53 AM Casper <fantom(a)fedoraproject.org> wrote: > I guess that path is *not* correct (or even the file itself): > > /etc/selinux/mcs/contexts/files/file_contexts > > This file is *not* provided by the mcstrans rpm. Why did you used it > instead of /etc/selinux/targeted/contexts/files/file_contexts ? > > Where does it come from? > > Henry Zhang a écrit : > > Vit, > > I can do it with: > > setfiles -v /etc/selinux/mcs/contexts/files/file_contexts > /home/root/yolo > > > > Relabeled /home/root/yolo from root:object_r:unlabeled_t:s0 to > > root:object_r:user_home_t:s0 > > > > when I use "restorecon -R -v /home/root/yolo" > > Relabeled /sysroot/home/root/yolo from root:object_r:user_home_t:s0 to > > root:object_r:root_home_t:s0 > > > > setfiles relabels yolo back to user_home_t > > and > > restorecon relabels yolo back to root_home_t > > > > Should setfiles or restorecon be used for me? > > > > ---henry > > On Mon, Jun 12, 2023 at 11:59 PM Vit Mojzis <[1]vmojzis(a)redhat.com> > wrote: > > > > > On 6/12/23 17:20, Henry Zhang wrote: > > > > >> Vit, > > >> Thanks for the links. > > >> I can use restorecon to recover to default value if file content is > > >> changed by the chcon command. > > >> But setfiles does nothing when the file is changed by chcon. > > >> May I change something and let setfiles recover it? > > > > > Sure. But you need to specify the full path (unlike when using > > > restorecon, which uses "realpath" to get the full path on its own). > > > > > $ touch yolo > > > $ ls -lZ > > > total 0 > > > -rw-r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Jun > 12 > > > 13:05 yolo > > > # chcon -t unlabeled_t yolo > > > $ ls -lZ > > > total 0 > > > -rw-r--r--. 1 root root unconfined_u:object_r:unlabeled_t:s0 0 Jun > 12 > > > 13:05 yolo > > > # setfiles -v /etc/selinux/targeted/contexts/files/file_contexts > > > /home/testuser/yolo > > > Relabeled /home/testuser/yolo from > unconfined_u:object_r:unlabeled_t:s0 > > > to unconfined_u:object_r:user_home_t:s0 > > > > > Vit > > > > >> ---henry > > >> On Mon, Jun 12, 2023 at 6:15 AM Vit Mojzis <[2]vmojzis(a)redhat.com> > > >> wrote: > > > > >>> Hi, > > >>> let me walk you through the steps to find this info on your own. > > > > >>> # dnf provides setfiles > > >>> policycoreutils-3.3-4.fc36.x86_64 : SELinux policy core utilities > > >>> # dnf provides restorecon > > >>> policycoreutils-3.3-4.fc36.x86_64 : SELinux policy core utilities > > > > >>> So both utilities are shipped as part of policycoreutils package. > > >>> The package is build from the following repository: > > >>> [3]https://src.fedoraproject.org/rpms/policycoreutils > > >>> The spec file > > >>> ([4] > https://src.fedoraproject.org/rpms/policycoreutils/blob/rawhide/f/policycor… > ) > > >>> shows that the source code repository is > > >>> [5]https://github.com/SELinuxProject/selinux > > > > >>> $ git clone [6]https://github.com/SELinuxProject/selinux ; cd > selinux > > >>> $ find -name setfiles.c > > >>> ./policycoreutils/setfiles/setfiles.c > > > > >>> This is actually the source file for both tools. Their behavior > > >>> changes > > >>> based on the executable name > > >>> [7] > https://github.com/SELinuxProject/selinux/blob/main/policycoreutils/setfile… > > > > >>> Hope this helps, > > >>> Vit > > > > >>> On 6/8/23 20:01, Henry Zhang wrote: > > >>> > Hi folks, > > >>> > > > >>> > I want to know the difference between setfiles and restorecon. > > >>> > Where can I get source codes of setfiles and restorecon? > > >>> > > > >>> > ---henry > > >>> > > > >>> > _______________________________________________ > > >>> > selinux mailing list -- [8]selinux(a)lists.fedoraproject.org > > >>> > To unsubscribe send an email to > > >>> [9]selinux-leave(a)lists.fedoraproject.org > > >>> > Fedora Code of Conduct: > > >>> [10]https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > >>> > List Guidelines: > > >>> [11]https://fedoraproject.org/wiki/Mailing_list_guidelines > > >>> > List Archives: > > >>> [12] > https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.o… > > >>> > Do not reply to spam, report it: > > >>> [13]https://pagure.io/fedora-infrastructure/new_issue > > >>> _______________________________________________ > > >>> selinux mailing list -- [14]selinux(a)lists.fedoraproject.org > > >>> To unsubscribe send an email to > > >>> [15]selinux-leave(a)lists.fedoraproject.org > > >>> Fedora Code of Conduct: > > >>> [16]https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > >>> List Guidelines: > > >>> [17]https://fedoraproject.org/wiki/Mailing_list_guidelines > > >>> List Archives: > > >>> [18] > https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.o… > > >>> Do not reply to spam, report it: > > >>> [19]https://pagure.io/fedora-infrastructure/new_issue > > > > References > > > > Visible links > > 1. mailto:vmojzis@redhat.com > > 2. mailto:vmojzis@redhat.com > > 3. https://src.fedoraproject.org/rpms/policycoreutils > > 4. > https://src.fedoraproject.org/rpms/policycoreutils/blob/rawhide/f/policycor… > > 5. https://github.com/SELinuxProject/selinux > > 6. https://github.com/SELinuxProject/selinux > > 7. > https://github.com/SELinuxProject/selinux/blob/main/policycoreutils/setfile… > > 8. mailto:selinux@lists.fedoraproject.org > > 9. mailto:selinux-leave@lists.fedoraproject.org > > 10. https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > 11. https://fedoraproject.org/wiki/Mailing_list_guidelines > > 12. > https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.o… > > 13. https://pagure.io/fedora-infrastructure/new_issue > > 14. mailto:selinux@lists.fedoraproject.org > > 15. mailto:selinux-leave@lists.fedoraproject.org > > 16. https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > 17. https://fedoraproject.org/wiki/Mailing_list_guidelines > > 18. > https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.o… > > 19. https://pagure.io/fedora-infrastructure/new_issue > > > _______________________________________________ > > selinux mailing list -- selinux(a)lists.fedoraproject.org > > To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.o… > > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > -- > GnuPG: AE157E0B29F0BEF2 at keys.openpgp.org > CA Cert: https://dl.casperlefantom.net/pub/ssl/root.der > Jabber/XMPP Messaging: casper(a)casperlefantom.net >

1 0

difference between setfiles and restorecon
by Henry Zhang 13 Jun '23

13 Jun '23

Hi folks, I want to know the difference between setfiles and restorecon. Where can I get source codes of setfiles and restorecon? ---henry

2 4

Trying to set context on a FIFO for nut_upsmon_t process
by Robert Nichols 09 Jun '23

09 Jun '23

SELinux is not allowing me to set the needed context on a FIFO that will be written by a nut_upsmon_t process. Runnin sesearch to find suitable types yields: allow nut_upsmon_t nut_upsmon_t:fifo_file { append getattr ioctl lock open read write }; But, when I try to run "chcon -t nut_upsmon_t /path/to/fifo" I get "permission denied" and an SELinux alert than complains If you want to change the label of .alertFIFO2 to nut_upsmon_t, you are not allowed to since it is not a valid file type. Then you must pick a valid file label. Do select a valid file type. List valid file labels by executing: # seinfo -afile_type -x That returns info for files, not FIFOs. Once again, SELinux is causing me more problems than any virus would.

4 8

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux June 2023