Robert,
You can use following command to find out which policy you are missingaudit2allow -r -i /var/log/audit/audit.log > new_policy.txt
---henry
On Fri, Jun 9, 2023 at 10:00 AM Robert Nichols <rnicholsNOSPAM@xxxxxxxxxxx> wrote:
Thanks for your suggestion, but this FIFO is for passing messages back to a program running in my desktop session to display notifications via dbus. My user program would not be able to access anything in /var/run nut. Also, it does not appear that the existing policy allows nut_upsmon_t to write to a nut_var_run_t:fifo_file.
# ls -ld /var/run nut
drwxrwx---. 2 root dialout 140 2023-06-02 22:48:02 /var/run/nut
# sesearch -A -s nut_upsmon_t -p write | grep fifo_file
allow daemon crond_t:fifo_file { append getattr ioctl lock read write };
allow daemon initrc_domain:fifo_file { append getattr ioctl lock read write };
allow daemon initrc_transition_domain:fifo_file { append getattr ioctl lock read write };
allow domain abrt_t:fifo_file { append getattr ioctl lock read write };
allow domain crond_t:fifo_file { append getattr ioctl lock read write };
allow domain rpm_script_tmp_t:fifo_file { append getattr ioctl lock read write };
allow domain rpm_transition_domain:fifo_file { append getattr ioctl lock read write };
allow domain sshd_t:fifo_file { append getattr ioctl lock read write };
allow domain system_cronjob_t:fifo_file { append getattr ioctl lock read write };
allow domain var_run_t:fifo_file write;
allow nut_upsmon_t initctl_t:fifo_file { append getattr ioctl lock open read write };
allow nut_upsmon_t nut_upsmon_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ fips_mode ]:True
allow nut_upsmon_t nut_upsmon_t:fifo_file { append getattr ioctl lock open read write };
allow nut_upsmon_t systemd_passwd_var_run_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
But, I have found a solution in that sesearch output. Running "chcon -t initctl_t .alertFIFO" allows the nut_upsmon_t process to use the FIFO, and my unconfined user process can read from it.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
On 6/9/23 11:03, Trevor Hemsley wrote:
> Hi
>
> You appear to be running an el8 (clone) and on my Rocky Linux 8 system I ran
>
> [root@rhel8 ~]# semanage fcontext -l | grep nut_
> /etc/ups(/.*)? all files system_u:object_r:nut_conf_t:s0
> /sbin/upsdrvctl regular file system_u:object_r:nut_upsdrvctl_exec_t:s0
> /usr/lib/systemd/system/nut.* regular file system_u:object_r:nut_unit_file_t:s0
> /usr/sbin/blazer_usb regular file system_u:object_r:nut_upsdrvctl_exec_t:s0
> /usr/sbin/upsd regular file system_u:object_r:nut_upsd_exec_t:s0
> /usr/sbin/upsdrvctl regular file system_u:object_r:nut_upsdrvctl_exec_t:s0
> /usr/sbin/upsmon regular file system_u:object_r:nut_upsmon_exec_t:s0
> /var/run/nut(/.*)? all files system_u:object_r:nut_var_run_t:s0
>
> I am wondering if your problem would just go away if you moved your FIFO under /var/run/nut where it would automatically be assigned nut_var_run_t
>
> Or not! :-)
>
> Trevor
>
> On 08/06/2023 20:03, Robert Nichols wrote:
>> SELinux is not allowing me to set the needed context on a FIFO that will be written by a nut_upsmon_t process. Runnin sesearch to find suitable types yields:
>> allow nut_upsmon_t nut_upsmon_t:fifo_file { append getattr ioctl lock open read write };
>> But, when I try to run "chcon -t nut_upsmon_t /path/to/fifo" I get "permission denied" and an SELinux alert than complains
>> If you want to change the label of .alertFIFO2 to nut_upsmon_t, you are not allowed to since it is not a valid file type.
>> Then you must pick a valid file label.
>> Do
>> select a valid file type. List valid file labels by executing:
>> # seinfo -afile_type -x
>> That returns info for files, not FIFOs.
>>
>> Once again, SELinux is causing me more problems than any virus would.
>> _______________________________________________
>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
