12:54 p.m.
I have last update and default SELinux install, but I got many syntax errors for
mlsconstrain. Any idea ? Thank you.
[root@desk mythcat]# uname -a
Linux desk 5.8.4-200.fc32.x86_64 #1 SMP Wed Aug 26 22:28:08 UTC 2020 x86_64 x86_64 x86_64
GNU/Linux
ausearch -c 'updatedb' --raw | audit2allow -M my-updatedb
compilation failed:
my-updatedb.te:25:ERROR 'syntax error' at token 'mlsconstrain' on line
25:
# mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1 ==
mlsfilereadtoclr -Fail-) and (h1 dom l2) or (t1 == mlsfileread -Fail-) or (t2 ==
mlstrustedobject -Fail-) ); Constraint DENIED
mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and
(h1 dom l2) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) );
Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
...
[root@desk mythcat]# ausearch -c 'ausearch' --raw | audit2allow -M my-ausearch
compilation failed:
my-ausearch.te:28:ERROR 'syntax error' at token 'mlsconstrain' on line
28:
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton }
((l1 eq l2 -Fail-) or (t1 == mlsfilewritetoclr -Fail-) and (h1 dom l2 -Fail-) and (l1
domby l2) or (t2 == mlsfilewriteinrange -Fail-) and (l1 dom l2 -Fail-) an
# mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 ==
mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 ==
mlstrustedobject -Fail-) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
...
11:36 a.m.
Hi,
Can you please provide SELinux denials you see in audit log?
Also, please try to restore labels to make sure filesystem is correctly
labeled:
# restorecon -RFv /
Thanks,
Lukas.
On 9/3/20 7:54 PM, Cătălin George Feștilă wrote:
I have last update and default SELinux install, but I got many syntax
errors for mlsconstrain. Any idea ? Thank you.
[root@desk mythcat]# uname -a
Linux desk 5.8.4-200.fc32.x86_64 #1 SMP Wed Aug 26 22:28:08 UTC 2020 x86_64 x86_64 x86_64
GNU/Linux
ausearch -c 'updatedb' --raw | audit2allow -M my-updatedb
compilation failed:
my-updatedb.te:25:ERROR 'syntax error' at token 'mlsconstrain' on line
25:
# mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1 ==
mlsfilereadtoclr -Fail-) and (h1 dom l2) or (t1 == mlsfileread -Fail-) or (t2 ==
mlstrustedobject -Fail-) ); Constraint DENIED
mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and
(h1 dom l2) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) );
Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
...
[root@desk mythcat]# ausearch -c 'ausearch' --raw | audit2allow -M my-ausearch
compilation failed:
my-ausearch.te:28:ERROR 'syntax error' at token 'mlsconstrain' on line
28:
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton }
((l1 eq l2 -Fail-) or (t1 == mlsfilewritetoclr -Fail-) and (h1 dom l2 -Fail-) and (l1
domby l2) or (t2 == mlsfilewriteinrange -Fail-) and (l1 dom l2 -Fail-) an
# mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 ==
mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 ==
mlstrustedobject -Fail-) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
...
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.
4:50 a.m.
I don't want to restore labels, want to fix it ... I find a similar bug reported on
this issue.
3:19 p.m.
my user is set to staff_u
[root@desk mythcat]# ausearch -m AVC -ts recent
----
time->Mon Sep 21 23:12:51 2020
type=AVC msg=audit(1600719171.505:604): avc: denied { watch } for pid=1
comm="systemd"
path="/sys/fs/cgroup/system.slice/fprintd.service/cgroup.events"
dev="cgroup2" ino=6534 scontext=system_u:system_r:init_t:s0-s15:c0.c1023
tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
----
time->Mon Sep 21 23:13:31 2020
type=AVC msg=audit(1600719211.995:628): avc: denied { search } for pid=7838
comm="ausearch" name="audit" dev="dm-0" ino=25498338
scontext=staff_u:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=dir permissive=1
----
time->Mon Sep 21 23:13:31 2020
type=AVC msg=audit(1600719211.995:629): avc: denied { read } for pid=7838
comm="ausearch" name="auditd.conf" dev="dm-0" ino=25498340
scontext=staff_u:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file permissive=1
----
time->Mon Sep 21 23:13:32 2020
type=AVC msg=audit(1600719212.142:630): avc: denied { read } for pid=7838
comm="ausearch" name="audit" dev="dm-0" ino=8489316
scontext=staff_u:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=dir permissive=1
----
time->Mon Sep 21 23:13:32 2020
type=AVC msg=audit(1600719212.142:631): avc: denied { search } for pid=7838
comm="ausearch" name="audit" dev="dm-0" ino=8489316
scontext=staff_u:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=dir permissive=1
----
time->Mon Sep 21 23:13:32 2020
type=AVC msg=audit(1600719212.142:632): avc: denied { read } for pid=7838
comm="ausearch" name="audit.log" dev="dm-0" ino=8606022
scontext=staff_u:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file permissive=1
----
time->Mon Sep 21 23:13:37 2020
type=AVC msg=audit(1600719217.510:633): avc: denied { getattr } for pid=5995
comm="setroubleshootd" path="/etc/audit" dev="dm-0"
ino=25498338 scontext=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=dir permissive=1
----
time->Mon Sep 21 23:13:39 2020
type=AVC msg=audit(1600719219.384:634): avc: denied { watch } for pid=1
comm="systemd"
path="/sys/fs/cgroup/system.slice/system-dbus\x2d:1.10\x2dorg.fedoraproject.SetroubleshootPrivileged.slice/dbus-:1.10-org.fedoraproject.SetroubleshootPrivileged@8.service/cgroup.events"
dev="cgroup2" ino=6565 scontext=system_u:system_r:init_t:s0-s15:c0.c1023
tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
----
time->Mon Sep 21 23:13:40 2020
type=AVC msg=audit(1600719220.212:636): avc: denied { getattr } for pid=5995
comm="setroubleshootd" path="/var/log/audit" dev="dm-0"
ino=8489316 scontext=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=dir permissive=1
----
time->Mon Sep 21 23:17:37 2020
type=AVC msg=audit(1600719457.649:646): avc: denied { search } for pid=8097
comm="ausearch" name="audit" dev="dm-0" ino=25498338
scontext=staff_u:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=dir permissive=1
----
time->Mon Sep 21 23:17:37 2020
type=AVC msg=audit(1600719457.649:647): avc: denied { read } for pid=8097
comm="ausearch" name="auditd.conf" dev="dm-0" ino=25498340
scontext=staff_u:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=file permissive=1
----
time->Mon Sep 21 23:17:37 2020
type=AVC msg=audit(1600719457.650:648): avc: denied { read } for pid=8097
comm="ausearch" name="audit" dev="dm-0" ino=8489316
scontext=staff_u:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=dir permissive=1
----
time->Mon Sep 21 23:17:37 2020
type=AVC msg=audit(1600719457.650:649): avc: denied { search } for pid=8097
comm="ausearch" name="audit" dev="dm-0" ino=8489316
scontext=staff_u:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=dir permissive=1
----
time->Mon Sep 21 23:17:37 2020
type=AVC msg=audit(1600719457.650:650): avc: denied { read } for pid=8097
comm="ausearch" name="audit.log" dev="dm-0" ino=8606022
scontext=staff_u:staff_r:staff_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file permissive=1
[root@desk mythcat]# ausearch -m AVC -ts recent | audit2allow -R
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
could not open interface info [/var/lib/sepolgen/interface_info]
5:27 a.m.
[root@desk mythcat]# ausearch -c 'restorecon' --raw | audit2allow
#============= staff_t ==============
allow staff_t admin_home_t:dir { relabelfrom relabelto };
allow staff_t admin_home_t:file { relabelfrom relabelto };
#!!!! This avc is a constraint violation. You would need to modify the attributes of
either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and
(h1 dom l2) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) );
Constraint DENIED
# Possible cause is the source user (staff_u) and target user (system_u) are different.
# Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are
different.
allow staff_t auditd_etc_t:dir search;
allow staff_t auditd_etc_t:dir { open read };
1278
days inactive
1330
days old
selinux@lists.fedoraproject.org
4 comments
2 participants
participants (2)
-
Cătălin George Feștilă -
Lukas Vrabec