On Sat, Aug 31, 2019 at 7:37 PM arnaud gaboury <arnaud.gaboury@xxxxxxxxx> wrote:
I am running Fedora atomic server 29 and start to see weird behaviors due to SELinux since a few days. I did everything I could to fix issues with audit2allow, sealert and audit2why (logs are empty of alerts). Some issues are still here. One example below:-----------------------------% rpm-ostree status
error: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.90" (uid=0 pid=1731 comm="/usr/bin/rpm-ostree status " label="sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023") interface="org.projectatomic.rpmostree1.Sysroot" member="RegisterClient" error name="(unset)" requested_reply="0" destination="org.projectatomic.rpmostree1" (uid=0 pid=1734 comm="/usr/bin/rpm-ostree start-daemon " label="system_u:system_r:install_t:s0")---------------------------------------------------------------NOTE: I ssh the machine.A few settings if it can help:----------------------gab@poppy➤➤ ~ % id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023gab@poppy➤➤ ~ % semanage login -l
ValueError: SELinux policy is not managed or store cannot be accessed.
root@poppy➤➤ ~ # semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
gab sysadm_u s0-s0:c0.c1023 *
root system_u s0-s0:c0.c1023 *gab@poppy➤➤ ~ % sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31gab@poppy➤➤ ~ # cat /etc/sudoers.d/gab
gab ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALLgab@poppy➤➤ ~ # ls -alZ /etc/sudoers.d/
total 24
drwxr-x---. 2 root root system_u:object_r:etc_t:s0 42 Aug 31 15:05 .
drwxr-xr-x. 90 root root system_u:object_r:etc_t:s0 8192 Aug 31 17:09 ..
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 71 Aug 31 14:42 gab
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 72 Aug 31 15:04 gabx
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 120 Aug 12 11:53 louisNo more alerts:gab@poppy➤➤ ~ % sealert -b
/usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated.
Instead, use this sequence:
from dbus.mainloop.glib import DBusGMainLoop
DBusGMainLoop(set_as_default=True)
import dbus.glibgab@poppy➤➤ ~ %-----------------------------------------------What can I do to fix the ostree status and more globally fix any SELinux remaing issues. The server has yet to be set up and I don't want to go ahead with lying around issues.
EDIT:
I deleted the mapping of user gab:
------------
# semanage login -d gab
gab@poppy➤➤ ~ % id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Now:
gab@poppy➤➤ ~ % rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
State: idle
AutomaticUpdates: disabled
Deployments:
......
---------------------
Everything is OK. What did I wrong with my mapping? How can I change user gab from unconfined_u to sysadm_u? Or maybe best is to keep gab as unconfined?
Thank you for help.
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
