Re: Fixing denials

[David Sastre Medina via selinux <selinux@xxxxxxxxxxxxxxxxxxxxxxx>]

This procedure will probably silence AVC denials, but may or may not result in a correct policy.

The reason is stated in e.g.

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#changing-selinux-modes_changing-selinux-states-and-modes

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/using_selinux/troubleshooting-problems-related-to-selinux_using-selinux#fixing-an-analyzed-selinux-denial_troubleshooting-problems-related-to-selinux

https://source.android.com/docs/security/features/selinux/device-policy

"When systems run SELinux in permissive mode, users and processes might label various file-system objects incorrectly."

"Be careful when the tool suggests using the audit2allow tool for configuration changes. You should not use audit2allow to generate a local policy module as your first option when you see an SELinux denial."

"Simply accepting the output from audit2allow [here] would result in an incorrect and overly permissive rule."

It used to be common practice to generate policy from the Reference Policy, to make use of existing interfaces whenever possible. (man audit2allow, -R).

OP is using CIL. Admittedly, I haven't tried to use both -R and -C.

On Tue, Jan 14, 2025 at 9:47 PM John Griffiths via selinux <selinux@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

I think you may be going about this the hard way.

Are you using the setroubleshoot packages?

setroubleshoot.x86_64
setroubleshoot-plugins.noarch
setroubleshoot-server.x86_64

They provide sealert and some other tools for analyzing AVCs and writing local policies.

The original policy module doesn't need to be replaced. It can just be augmented.

When I need to write or add to a policy, I put selinux in permissive mode, make note of the time, run the program and exercise it.

Then I put selinux back in enforcing mode.

Then I run:
ausearch -ts 01/06/2025 09:53:57 --raw | audit2allow -M my-moduleName

Substitute your date and time for above. The module name just needs to be something you recognize. I always preface the package with "my-" so I can search on my policy modules.

The command will produce a te file and a pp file.

You install the my-moduleName.pp file using:
semodule -X 300 -i my-moduleName.pp

Your new policy is now installed and selinux is using it.
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

-- 
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue