On Wed, Aug 28, 2019 at 2:34 PM arnaud gaboury <arnaud.gaboury@xxxxxxxxx> wrote:
Until a few days ago, my Fedora 29 Atomic host was working perfectly with SELinux enforced. The server is only a few week old with nothing fancy yet set or installed.I changed recently my user (gabx) context from the default unconfined to sysadmn_u and ran restorecon.Here is what I did:Fresh after install:--------------------------------------------------# semanage login -lLogin Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 gabx unconfined_u s0-s0:c0.c1023
--------------------------------Then:# semanage login -m -s sysadm_u --range s0-s0.c0.c1023# semanage login -lgabx sysadm_u s0-s0:c0.c1023 *# restorecon -RF /hone/gabx# ls -alZ /home/gabx
drwxrwxr-x. 5 gabx gabx sysadm_u:object_r:config_home_t:s0 61 Aug 17 14:42 .config/
drwxrwxr-x. 2 gabx gabx sysadm_u:object_r:user_home_t:s0 6 Aug 21 14:09 hugo/
....# vim /etc/sudoers.d/gabx
gabx ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r /bin/shThis change may be the root of the problem. I ran a few a certbot-letsencrypt container which changed a few files contexts (container_t): maybe did it broke a few things?I can't load modules.With the help of ausearch and journalctl, I can identify SELinux messages, I can write a myapp.pp module. But then:-----------------------------------# semodule -i myapp.ppsemodule: Failed on myapp.pp!-------------------------------
Maybe some audits from the command:
----------------------------------------------------------
# cat /var/log/audit/audit.log | audit2why
.........
type=AVC msg=audit(1566944738.698:4243): avc: denied { write } for pid=6687 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=13688 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1566945464.551:4251): avc: denied { signal } for pid=6665 comm="su" scontext=sysadm_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
------------------------------------------------------------------
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
