On Wed, Aug 28, 2019 at 2:34 PM arnaud gaboury <arnaud.gaboury(a)gmail.com>
wrote:
Until a few days ago, my Fedora 29 Atomic host was working perfectly
with
SELinux enforced. The server is only a few week old with nothing fancy yet
set or installed.
I changed recently my user (gabx) context from the default unconfined to
sysadmn_u and ran restorecon.
Here is what I did:
Fresh after install:
--------------------------------------------------
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
gabx unconfined_u s0-s0:c0.c1023
--------------------------------
Then:
# semanage login -m -s sysadm_u --range s0-s0.c0.c1023
# semanage login -l
gabx sysadm_u s0-s0:c0.c1023 *
# restorecon -RF /hone/gabx
# ls -alZ /home/gabx
drwxrwxr-x. 5 gabx gabx sysadm_u:object_r:config_home_t:s0 61 Aug 17 14:42 .config/
drwxrwxr-x. 2 gabx gabx sysadm_u:object_r:user_home_t:s0 6 Aug 21 14:09 hugo/
....
# vim /etc/sudoers.d/gabx
gabx ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r /bin/sh
This change may be the root of the problem. I ran a few a
certbot-letsencrypt container which changed a few files contexts
(container_t): maybe did it broke a few things?
I can't load modules.
With the help of ausearch and journalctl, I can identify SELinux messages,
I can write a *myapp.pp* module. But then:
-----------------------------------
# semodule -i myapp.pp
semodule: Failed on myapp.pp!
-------------------------------
Maybe some audits from the command:
----------------------------------------------------------
# cat /var/log/audit/audit.log | audit2why
.........
type=AVC msg=audit(1566944738.698:4243): avc: denied { write } for
pid=6687 comm="systemd-sysctl" name="protected_symlinks"
dev="proc"
ino=13688 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1566945464.551:4251): avc: denied { signal } for
pid=6665 comm="su" scontext=sysadm_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023
tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
------------------------------------------------------------------