Mostly I have been running fedora on a home desktop and laptop for a long time with SELinux enabled, with very minimal workarounds needed. Otherwise I am new to policies etc. I have just enabled SELinux in permissive mode on a web server and followed the instructions here to create a "local_policy.cil" policy module file containing a few simple rules, and install it.
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/ using_selinux/troubleshooting-problems-related-to-selinux_using- selinux#proc_creating-a-local-selinux-policy-module_troubleshooting-problems- related-to-selinux
Why is PostgreSQL running in unconfined_service_t, and what do I need to do to allow php-fpm to connect to it?
Isn't there a boolean for that?
[root@blanco ~]# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent ---- time->Mon Jan 13 13:36:10 2025 type=AVC msg=audit(1736775370.067:3485): avc: denied { connectto } for pid=1425 comm="php-fpm" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 ---- ...
Do I need a ".cil" rule like this?
(allow httpd_t unconfined_service_t (unix_stream_socket (connectto)))
To allow database connections from a web serer you need to toggle an selinux boolean like
setsebool -P httpd_can_network_connect_db 1
-P for persistent.
Trevor
On 13/01/2025 14:09, justina colmena ~biz via selinux wrote:
Mostly I have been running fedora on a home desktop and laptop for a long time with SELinux enabled, with very minimal workarounds needed. Otherwise I am new to policies etc. I have just enabled SELinux in permissive mode on a web server and followed the instructions here to create a "local_policy.cil" policy module file containing a few simple rules, and install it.
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/ using_selinux/troubleshooting-problems-related-to-selinux_using- selinux#proc_creating-a-local-selinux-policy-module_troubleshooting-problems- related-to-selinux
Why is PostgreSQL running in unconfined_service_t, and what do I need to do to allow php-fpm to connect to it?
Isn't there a boolean for that?
[root@blanco ~]# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
time->Mon Jan 13 13:36:10 2025 type=AVC msg=audit(1736775370.067:3485): avc: denied { connectto } for pid=1425 comm="php-fpm" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
...
Do I need a ".cil" rule like this?
(allow httpd_t unconfined_service_t (unix_stream_socket (connectto)))
On Monday, January 13, 2025 6:17:20 AM Pacific Standard Time Trevor Hemsley via selinux wrote:
To allow database connections from a web serer you need to toggle an selinux boolean like
setsebool -P httpd_can_network_connect_db 1
That's exactly what I did. But that's for network connections to the database on 127.0.0.1, not unix socket connections, afaict.
And there are more booleans that are quite specific to postgresql. Maybe I should try the "selinuxuser_postgresql_connect_enabled" boolean.
[root@blanco ~]# getsebool -a|grep postgres postgresql_can_rsync --> off postgresql_selinux_transmit_client_label --> off postgresql_selinux_unconfined_dbadm --> on postgresql_selinux_users_ddl --> on selinuxuser_postgresql_connect_enabled --> off [root@blanco ~]#
And a really old man page which I can't find installed on the system.
https://mgrepl.fedorapeople.org/man_selinux/Fedora18/postgresql.html
justina colmena ~biz via selinux wrote:
And there are more booleans that are quite specific to postgresql. Maybe I should try the "selinuxuser_postgresql_connect_enabled" boolean.
[root@blanco ~]# getsebool -a|grep postgres postgresql_can_rsync --> off postgresql_selinux_transmit_client_label --> off postgresql_selinux_unconfined_dbadm --> on postgresql_selinux_users_ddl --> on selinuxuser_postgresql_connect_enabled --> off [root@blanco ~]#
And a really old man page which I can't find installed on the system.
https://mgrepl.fedorapeople.org/man_selinux/Fedora18/postgresql.html
If you install selinux-policy-doc then you should have postgresql_selinux(8) (as well as many other <service>_selinux man pages). Those can be quite useful.
The other things that can prevent postgresql from connecting are a misconfigured pg_hba.conf file or a misconfigured postgresql.conf.
On Monday, January 13, 2025 9:38:51 AM Pacific Standard Time John Griffiths via selinux wrote:
What denials are shown in sealert?
John
Very few now except for "ps" or process listing related denials. Probably some things are "allowed" that don't need to be, but on the theory some selinux protection is better than none, and getting things going in enforcing mode, everything is mostly working. Still looking for weirdnesses and issues on running services
[root@blanco ~]# vim local_policy.cil [root@blanco ~]# semodule -r local_policy && semodule -i local_policy.cil libsemanage.semanage_direct_remove_key: Removing last local_policy module (no other local_policy module exists at another priority). [root@blanco ~]# cat local_policy.cil (allow postfix_smtpd_t var_lib_t (file (getattr open read))) (allow httpd_t unconfined_service_t (unix_stream_socket (connectto))) (allow init_t mysqld_port_t (tcp_socket (name_connect))) (allow init_t soundd_port_t (tcp_socket (name_connect))) (allow init_t http_port_t (tcp_socket (name_connect))) (allow init_t user_home_t (file (getattr open read write append))) (allow init_t user_home_t (dir (getattr open read write append))) (allow init_t user_home_t (lnk_file (getattr open read write append))) (allow init_t init_t (process (execmem))) (allow saslauthd_t saslauthd_t (capability (dac_read_search))) [root@blanco ~]# geten getenforce getent [root@blanco ~]# getenforce Enforcing [root@blanco ~]#
On Tuesday, January 14, 2025 10:15:59 AM Pacific Standard Time justina colmena ~biz via selinux wrote:
On Monday, January 13, 2025 9:38:51 AM Pacific Standard Time John Griffiths via
selinux wrote:
What denials are shown in sealert?
John
One last little detail preventing user authentication ....
[root@blanco ~]# getsebool -a|grep auth authlogin_nsswitch_use_ldap --> off authlogin_radius --> off authlogin_yubikey --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off saslauthd_read_shadow --> off [root@blanco ~]# setsebool -P saslauthd_read_shadow on [root@blanco ~]#
I think you may be going about this the hard way.
Are you using the setroubleshoot packages?
setroubleshoot.x86_64 setroubleshoot-plugins.noarch setroubleshoot-server.x86_64
They provide sealert and some other tools for analyzing AVCs and writing local policies.
The original policy module doesn't need to be replaced. It can just be augmented.
When I need to write or add to a policy, I put selinux in permissive mode, make note of the time, run the program and exercise it.
Then I put selinux back in enforcing mode.
Then I run: ausearch -ts 01/06/2025 09:53:57 --raw | audit2allow -M my-moduleName
Substitute your date and time for above. The module name just needs to be something you recognize. I always preface the package with "my-" so I can search on my policy modules.
The command will produce a te file and a pp file.
You install the my-moduleName.pp file using: semodule -X 300 -i my-moduleName.pp
Your new policy is now installed and selinux is using it.
This procedure will probably silence AVC denials, but may or may not result in a correct policy. The reason is stated in e.g.
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/usi... https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/usi... https://source.android.com/docs/security/features/selinux/device-policy
"When systems run SELinux in permissive mode, users and processes might label various file-system objects incorrectly." "Be careful when the tool suggests using the audit2allow tool for configuration changes. You should not use audit2allow to generate a local policy module as your first option when you see an SELinux denial." "Simply accepting the output from audit2allow [here] would result in an incorrect and overly permissive rule."
It used to be common practice to generate policy from the Reference Policy, to make use of existing interfaces whenever possible. (man audit2allow, -R). OP is using CIL. Admittedly, I haven't tried to use both -R and -C.
On Tue, Jan 14, 2025 at 9:47 PM John Griffiths via selinux < selinux@lists.fedoraproject.org> wrote:
I think you may be going about this the hard way.
Are you using the setroubleshoot packages?
setroubleshoot.x86_64 setroubleshoot-plugins.noarch setroubleshoot-server.x86_64
They provide sealert and some other tools for analyzing AVCs and writing local policies.
The original policy module doesn't need to be replaced. It can just be augmented.
When I need to write or add to a policy, I put selinux in permissive mode, make note of the time, run the program and exercise it.
Then I put selinux back in enforcing mode.
Then I run: ausearch -ts 01/06/2025 09:53:57 --raw | audit2allow -M my-moduleName
Substitute your date and time for above. The module name just needs to be something you recognize. I always preface the package with "my-" so I can search on my policy modules.
The command will produce a te file and a pp file.
You install the my-moduleName.pp file using: semodule -X 300 -i my-moduleName.pp
Your new policy is now installed and selinux is using it.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
There is no need for that. This is supposed to be, amongst many other things, a learning experience for everyone. I'm pretty sure I can learn from you and any other person participating in this list. And my apologies if anything I wrote was remotely rude, that was never the intention.
On Tue, Jan 14, 2025 at 10:22 PM John Griffiths via selinux < selinux@lists.fedoraproject.org> wrote:
Pardon me.
I will bow out of the conversation.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
No offense taken.
I started working with selinux I Fedora Core 4 in 2005.
I've been through lots of changes.
Running in permissive mode in a multiuser environment would certainly be problematic. Running as a single user with only one unknown should be much less so.
We went from very laborious policy module creation to much easier with sealert and audit2allow and, apparently, back to being laborious.
I always review the te file to see if it is reasonable and whether it opens any extraneous holes in security. So far. I've never seen a problem, but maybe I've been lucky.
If the audit2allow and sealert give erroneous modules, then they should be deprecated. Until they are, I will continue to use them.
The reason I am stepping back from the conversation is I am apparently behind the current wisdom and I am not particularly interested in going back to producing modules laboriously.
On Tue, Jan 14, 2025 at 3:25 PM John Griffiths via selinux selinux@lists.fedoraproject.org wrote:
We went from very laborious policy module creation to much easier with sealert and audit2allow and, apparently, back to being laborious.
audit2allow cannot know whether access is being denied due to a file (or port) mislabeling, or because necessary rules are missing. So it assumes that necessary rules are missing, and generates rules that will result in the denied access being permitted.
The issue is that almost always, the correct rules are present, but access is being denied because the filesystem (or port et. al.) labels are incorrect. In that case, the correct solution is to correct the labels, so that access will be granted. Adding rules that permit access to the incorrectly-labeled files will grant the application more access than it should have.
For these reasons, it’s best to not blindly trust the rules that audit2allow generates, but instead use its output to debug filesystem labeling issues (which, again, is almost always the issue).
Note that audit2allow is aware of SELinux booleans, and will tell you if the access can be permitted by enabling a specific boolean.
On Tuesday, January 14, 2025 1:55:36 PM Pacific Standard Time David Sastre Medina via selinux wrote:
There is no need for that. This is supposed to be, amongst many other things, a learning experience for everyone.
Thank you all. People are busy at work. My only remaining problem that I am aware of with SELinux is well documented
* https://phabricator.wikimedia.org/T250763
The GeSHi syntaxhighlight extension on MediaWiki does not work in hardened installations. That is not to mention SELinux specifically. I can't find anything in the audit logs on it either, but the kinds of permissions that are asked for there are definite security concerns on a web server, exactly what SELinux is designed to lock down.
On Tue, Jan 14, 2025 at 5:51 PM justina colmena ~biz via selinux selinux@lists.fedoraproject.org wrote:
On Tuesday, January 14, 2025 1:55:36 PM Pacific Standard Time David Sastre Medina via selinux wrote:
There is no need for that. This is supposed to be, amongst many other things, a learning experience for everyone.
Thank you all. People are busy at work. My only remaining problem that I am aware of with SELinux is well documented
The GeSHi syntaxhighlight extension on MediaWiki does not work in hardened installations. That is not to mention SELinux specifically. I can't find anything in the audit logs on it either, but the kinds of permissions that are asked for there are definite security concerns on a web server, exactly what SELinux is designed to lock down.
T250763 was a Crypto++ bug report. I filed it. It concerned MediaWiki and hardening of PHP, and not SELinux.
I believe the fix for T250763 is to provide an implementation of syntax highlighting in PHP, and not shell-out to external programs.
Web developers have their own views on security. Web folks are trusting and promiscuous, and it there is an impedance mismatch between projects like SELinux (and old folks like C programmers).
Jeff
On 13/01/2025 14:09, justina colmena ~biz via selinux wrote:
Why is PostgreSQL running in unconfined_service_t,
I don't think any replies to your message have addressed this. but...
time->Mon Jan 13 13:36:10 2025 type=AVC msg=audit(1736775370.067:3485): avc: denied { connectto } for pid=1425 comm="php-fpm" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
I think this is telling you that the socket file context is "system_u:system_r:unconfined_service_t:s0". It doesn't necessarily mean that postgresql is running with that context, though 'ps -o pid,command,context -C postgres' should confirm.
On my system:
# semanage fcontext -l | grep /run/postgresql /run/postgresql(/.*)? all files system_u:object_r:postgresql_var_run_t:s0
... so figuring out why your socket is labelled incorrectly would be the first thing I'd investigate.
If postgresql was really running as unconfined_service_t then I'd debug the type transition process explained at https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context. Once postgresql is running in the expected context & the socket file has the right label, then I'd resume configuring the system so that processes running as httpd_t can connect to it.
When I try
ps -o pid,command,context -C postgres
I only get the header.
PID COMMAND CONTEXT
The postgresql service uses the command "postmaster," a symbolic link to "postgres" to start the postgres processes on my system.
I had to use:
ps -o pid,command,context -C postmaster
and got:
PID COMMAND CONTEXT 1365 /usr/bin/postmaster -D /var system_u:system_r:postgresql_t:s0 1464 postgres: logger system_u:system_r:postgresql_t:s0 1485 postgres: checkpointer system_u:system_r:postgresql_t:s0 1486 postgres: background writer system_u:system_r:postgresql_t:s0 1487 postgres: walwriter system_u:system_r:postgresql_t:s0 1488 postgres: autovacuum launch system_u:system_r:postgresql_t:s0 1489 postgres: stats collector system_u:system_r:postgresql_t:s0 1490 postgres: logical replicati system_u:system_r:postgresql_t:s0
The command could change depending on how you start postgresql. I start it as a service and the service uses postmaster.
systemctl status postgresql.service ●postgresql.service - PostgreSQL database server Loaded: loaded (/usr/lib/systemd/system/postgresql.service; enabled; preset: disabled) Active: active (running)since Sun 2025-01-12 16:13:40 EST; 2 days ago Main PID: 1365 (postmaster) Tasks: 8 (limit: 202619) Memory: 93.3M CPU: 2min 4.734s CGroup: /system.slice/postgresql.service ├─1365 /usr/bin/postmaster -D /var/lib/pgsql/data ├─1464 "postgres: logger " ├─1485 "postgres: checkpointer " ├─1486 "postgres: background writer " ├─1487 "postgres: walwriter " ├─1488 "postgres: autovacuum launcher " ├─1489 "postgres: stats collector " └─1490 "postgres: logical replication launcher "
John
On 1/15/25 10:43, Sam Morris via selinux wrote:
On 13/01/2025 14:09, justina colmena ~biz via selinux wrote:
Why is PostgreSQL running in unconfined_service_t,
I don't think any replies to your message have addressed this. but...
time->Mon Jan 13 13:36:10 2025 type=AVC msg=audit(1736775370.067:3485): avc: denied { connectto } for pid=1425 comm="php-fpm" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
I think this is telling you that the socket file context is "system_u:system_r:unconfined_service_t:s0". It doesn't necessarily mean that postgresql is running with that context, though 'ps -o pid,command,context -C postgres' should confirm.
On my system:
# semanage fcontext -l | grep /run/postgresql /run/postgresql(/.*)? all files system_u:object_r:postgresql_var_run_t:s0
... so figuring out why your socket is labelled incorrectly would be the first thing I'd investigate.
If postgresql was really running as unconfined_service_t then I'd debug the type transition process explained at https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context. Once postgresql is running in the expected context & the socket file has the right label, then I'd resume configuring the system so that processes running as httpd_t can connect to it.
On Mon, Jan 13, 2025 at 3:27 PM justina colmena ~biz via selinux < selinux@lists.fedoraproject.org> wrote:
Mostly I have been running fedora on a home desktop and laptop for a long time with SELinux enabled, with very minimal workarounds needed. Otherwise I am new to policies etc. I have just enabled SELinux in permissive mode on a web server and followed the instructions here to create a "local_policy.cil" policy module file containing a few simple rules, and install it.
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/ using_selinux/troubleshooting-problems-related-to-selinux_using- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/using_selinux/troubleshooting-problems-related-to-selinux_using-
selinux#proc_creating-a-local-selinux-policy-module_troubleshooting-problems- related-to-selinux
Why is PostgreSQL running in unconfined_service_t, and what do I need to do to allow php-fpm to connect to it?
Isn't there a boolean for that?
[root@blanco ~]# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
time->Mon Jan 13 13:36:10 2025 type=AVC msg=audit(1736775370.067:3485): avc: denied { connectto } for pid=1425 comm="php-fpm" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
...
Do I need a ".cil" rule like this?
(allow httpd_t unconfined_service_t (unix_stream_socket (connectto)))
Hello,
I think that what you need in the first place is to check how the postgresql service is started. Is the binary properly labeled?
systemctl cat postgresql ls -lZ /usr/bin/postgres
-- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
selinux@lists.fedoraproject.org
-
David Sastre Medina -
James Ralston -
Jeffrey Walton -
John Griffiths -
justina colmena ~biz -
Sam Morris -
Todd Zullinger -
Trevor Hemsley -
Zdenek Pytela