Hi,
Can you please provide SELinux denials you see in audit log?
Also, please try to restore labels to make sure filesystem is correctly
labeled:
# restorecon -RFv /
Thanks,
Lukas.
On 9/3/20 7:54 PM, Cătălin George Feștilă wrote:
> I have last update and default SELinux install, but I got many syntax errors for mlsconstrain. Any idea ? Thank you.
> [root@desk mythcat]# uname -a
> Linux desk 5.8.4-200.fc32.x86_64 #1 SMP Wed Aug 26 22:28:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
>
> ausearch -c 'updatedb' --raw | audit2allow -M my-updatedb
> compilation failed:
> my-updatedb.te:25:ERROR 'syntax error' at token 'mlsconstrain' on line 25:
> # mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
> mlsconstrain dir { search } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> ...
> [root@desk mythcat]# ausearch -c 'ausearch' --raw | audit2allow -M my-ausearch
> compilation failed:
> my-ausearch.te:28:ERROR 'syntax error' at token 'mlsconstrain' on line 28:
> mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-) or (t1 == mlsfilewritetoclr -Fail-) and (h1 dom l2 -Fail-) and (l1 domby l2) or (t2 == mlsfilewriteinrange -Fail-) and (l1 dom l2 -Fail-) an
> # mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == mlsfilereadtoclr -Fail-) and (h1 dom l2 -Fail-) or (t1 == mlsfileread -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> ...
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
