Robert,
Also if you set selinux to be permissive=1. Your application will go through and you may get a group of denied messages in your /var/log/audit/audit.log one time.
Then you update your policy based on the audit.log and set selinux back to enforce mode (permissive=0)
---henry
On Fri, Jun 9, 2023 at 8:49 AM Henry Zhang <henryzhang62@xxxxxxxxx> wrote:
Robert,based on your audit.log message, the new policy should be
allow nut_upsmon_t user_tmp_t:fifo_file getattryour policy:
allow nut_upsmon_t nut_upsmon_t:fifo_file { append getattr ioctl lock open read write };destination type should be user_tmp_t instead of nut_upsmon_tNormally, after updating your policy, your operation should go through---henryOn Thu, Jun 8, 2023 at 2:49 PM Robert Nichols <rnicholsNOSPAM@xxxxxxxxxxx> wrote:On 6/8/23 16:12, Henry Zhang wrote:
> Robert,
>
> If your application fails due to selinux policy, you could check /var/log/audit/audit.log.
> If the audit.log contains denial, please post or attach the log here.
> It should show what kind of policy your application needed in order to execute it.
>
> ---henry
Since you asked, see below. I really don't want to allow a nut_upsmon_t process to write to any user_tmp_t file. That's adding unnecessary privilege. The right solution is to give the FIFO a label that allows the access. I used sesearch to find out what target types would be appropriate, and found:
allow nut_upsmon_t nut_upsmon_t:fifo_file { append getattr ioctl lock open read write };
Note that the error is for "getattr", not "write". The script is checking that the name refers to a FIFO before writing to it. The same problem would occur for a "write" attempt.
chcon fails when trying to set that context on the FIFO, and when it tries I see a message that nut_upsmon_t is not a valid file type. What is it, then? Perhaps valid on a FIFO but not on an ordinary file?? The above "allow" rule shows what I need, but there is no way to set it.
SELinux is preventing /usr/bin/bash from getattr access on the fifo_file /tmp/.alertFIFO2.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that bash should be allowed getattr access on the .alertFIFO2 fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'UPS-alert' --raw | audit2allow -M my-UPSalert
# semodule -X 300 -i my-UPSalert.pp
Additional Information:
Source Context system_u:system_r:nut_upsmon_t:s0
Target Context unconfined_u:object_r:user_tmp_t:s0
Target Objects /tmp/.alertFIFO2 [ fifo_file ]
Source UPS-alert
Source Path /usr/bin/bash
Port <Unknown>
Host omega-3x.local
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-117.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-117.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name omega-3x.local
Platform Linux omega-3x.local 4.18.0-477.13.1.el8_8.x86_64
#1 SMP Tue May 30 22:15:39 UTC 2023 x86_64 x86_64
Alert Count 4
First Seen 2023-06-08 16:32:07 CDT
Last Seen 2023-06-08 16:32:17 CDT
Local ID 87bfa152-e72e-4bff-872e-2ccd882f0d48
Raw Audit Messages
type=AVC msg=audit(1686259937.20:17430): avc: denied { getattr } for pid=860169 comm="UPS-alert" path="/tmp/.alertFIFO2" dev="tmpfs" ino=19804366 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0
Hash: UPS-alert,nut_upsmon_t,user_tmp_t,fifo_file,getattr
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue