On 8/31/19 7:49 PM, arnaud gaboury wrote: > > > On Sat, Aug 31, 2019 at 7:37 PM arnaud gaboury <arnaud.gaboury@xxxxxxxxx > <mailto:arnaud.gaboury@xxxxxxxxx>> wrote: > > I am running Fedora atomic server 29 and start to see weird > behaviors due to SELinux since a few days. I did everything I could > to fix issues with audit2allow, sealert and audit2why (logs are > empty of alerts). Some issues are still here. One example below: > > ----------------------------- > % rpm-ostree status > error: An SELinux policy prevents this sender from sending this > message to this recipient, 0 matched rules; type="method_call", > sender=":1.90" (uid=0 pid=1731 comm="/usr/bin/rpm-ostree status " > label="sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023") > interface="org.projectatomic.rpmostree1.Sysroot" > member="RegisterClient" error name="(unset)" requested_reply="0" > destination="org.projectatomic.rpmostree1" (uid=0 pid=1734 > comm="/usr/bin/rpm-ostree start-daemon " > label="system_u:system_r:install_t:s0") > --------------------------------------------------------------- > > NOTE: I ssh the machine. > A few settings if it can help: > > ---------------------- > gab@poppy➤➤ ~ % id -Z > sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 > > gab@poppy➤➤ ~ % semanage login -l > ValueError: SELinux policy is not managed or store cannot be accessed. > root@poppy➤➤ ~ # semanage login -l > > Login Name SELinux User MLS/MCS Range Service > > __default__ unconfined_u s0-s0:c0.c1023 * > gab sysadm_u s0-s0:c0.c1023 * > root system_u s0-s0:c0.c1023 * > > gab@poppy➤➤ ~ % sestatus > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: targeted > Current mode: enforcing > Mode from config file: enforcing > Policy MLS status: enabled > Policy deny_unknown status: allowed > Memory protection checking: actual (secure) > Max kernel policy version: 31 > > gab@poppy➤➤ ~ # cat /etc/sudoers.d/gab > > gab ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL > > gab@poppy➤➤ ~ # ls -alZ /etc/sudoers.d/ > total 24 > drwxr-x---. 2 root root system_u:object_r:etc_t:s0 42 Aug 31 > 15:05 . > drwxr-xr-x. 90 root root system_u:object_r:etc_t:s0 8192 Aug 31 > 17:09 .. > -rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 71 Aug 31 > 14:42 gab > -rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 72 Aug 31 > 15:04 gabx > -rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 120 Aug 12 > 11:53 louis > > No more alerts: > gab@poppy➤➤ ~ % sealert -b > /usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use > the GLib main loop with dbus-python is deprecated. > Instead, use this sequence: > > from dbus.mainloop.glib import DBusGMainLoop > > DBusGMainLoop(set_as_default=True) > > import dbus.glib > gab@poppy➤➤ ~ % > ----------------------------------------------- > > What can I do to fix the ostree status and more globally fix any > SELinux remaing issues. The server has yet to be set up and I don't > want to go ahead with lying around issues. > > > EDIT: > > I deleted the mapping of user gab: > ------------ > # semanage login -d gab > gab@poppy➤➤ ~ % id -Z > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > Now: > gab@poppy➤➤ ~ % rpm-ostree status > State: idle > AutomaticUpdates: disabled > Deployments: > ...... > --------------------- > > Everything is OK. What did I wrong with my mapping? How can I change > user gab from unconfined_u to sysadm_u? Or maybe best is to keep gab as > unconfined? > Hi, Could you please put SELinux to permissive mode for testin purposes: # setenforce 0 Add maaping for user gab (sysadm_u) as you did and logout/login try to reproduce the issue and attach output from: # ausearch -m AVC,USER_AVC -ts boot Thanks, Lukas. > > > Thank you for help. > > > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > -- Lukas Vrabec Senior Software Engineer, Security Technologies Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx