[SOLVED] Selinux problems again?

[lmcogs]

I have selinux on permissive and I keep getting alot, alot of detected problems, sometimes 30 and I have worked my way thru them several times but keep coming back. I use the suggestion from the notify admin where it says
allow this access for now by executing:
# grep sendmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

But the problems reappear Selinux avc denial. I can't be expected to go thru this all the time, I would end up doing nothing else. I did have selinux switched off at one point. I have 3.3.7-1.fc17.x86_64. Between selinux and abrt I am being hassled big time. I do like the idea of protection but this has been going on for years. Do I really need these 2 programs since I am the only one using computer.

[lklaus]

Well, if you had selinux turned of for some time, you most probably have some mislabelled files and directories. You should do a "touch /.autorelabel" and reboot. Then your problems should go away, as f17 policy isn't too bad, I'd say. It's good to have selinux active, even if you are the only person using the machine. I use selinux in enforcing mode, and don't have problems.

Klaus

[rclark]

Quote:

I did have selinux switched off at one point

First thing after I boot up a new system is disable selinux and don't use LVM. Two things I want no hassle with.

[lmcogs]

Klaus thanks for reply. I did that and rebooted, went thru 'Recreate Volatile Files and Dirs' on boot. But, I got 35 selinux problems. How come It says in Selinux alert browser
"
If you believe that dbus-daemon should be allowed getattr access on the 1.ref fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dbus-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp"

I have gone thru all problems with above but doesn't seem to do any good. I notice at the bottom of the Notify Admin alert
"Hash: dbus-daemon,system_dbusd_t,systemd_logind_sessions_t,fi fo_file,getattr

audit2allowunable to open /sys/fs/selinux/policy: Permission denied
audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied"

[lklaus]

Ok, first thing, you have to create (or at least insert) policies as root. Also, your log files might not be readable for the normal user. So root necessary, too...

I don't know where this 1.ref file comes from. You might have installed some app that is selinux ignorant and puts files somewhere where they are not expected. It might be interesting if you post the denials "in the clear", i.e. you only use:
grep dbus-daemon /var/log/audit/audit.log
and paste the output

[lmcogs]

Ah I think that might be the case. I was trying Dr Web, because I need to check some files I downloaded for viruses. I removed it and did the relabel and rebooted and it looks like I have no denials so far after reboot.

[AdamW]

In general, you do have to assume that if you install third party apps or run a public server, you're going to have to do some adjustment of SELinux policies. That's not really a flaw in SELinux, because...it's a security mechanism. It's just like if you run a public server you have to manually configure your firewall carefully, to allow only the minimum necessary amount of access. SELinux by default locks down stuff you might actually want to do if you're really running a mailserver or whatever, because if you _aren't_ running one you don't want that stuff to be allowed. So if you are, you have to carefully allow the specific actions you want. For common use cases like a mail/web server, you'll be able to find guides and docs quite easily with Google.

[lklaus]

Also necessary to mention is that many (most?) apps from the fedora repository do have corresponding policies in selinux-targeted. As I said before, I'm running enforcing, with a few tweaks for non fedora apps.

[DBelton]

I m running with selinux set to enforcing and targeted here, and have no issues with it.

There are a few things, though..

1: You said you have selinux set to permissive, so the warnings you get are just that.. warnings.. selinux isn't preventing anything from running if it is in permissive mode.

2: As Iklaus mentioned, if you have ever run with selinux disabled, then you need to completely relabel your filesystem. Any files created, etc... while selinux was disabled will not have proper contexts defined.

3: As Adam mentioned, if you install third party applications, then you may have to create your own selinux policies for those applications. Fedora doesn't read your mind and include policies for applications that you might install that aren't in the Fedora repos.

4: The selinux messages you are getting tell you exactly what to do to fix the problem if you wish to allow the application to have the access that it is trying to get. Just follow the directions in the messages.

5: Any other problems?

[lmcogs]

Thanks everyone. I have no messages for some time now. I might try enforcing if I can get Samba to work properly so my media player can access shares which I had running ok on f16.

[DBelton]

To get samba to work properly with selinux, read your /etc/samba/smb.conf file. It tells you everything you need to set samba and selinux up to work together.

copied from /etc/samba/smb.conf:

Code:

# Note: Run the "testparm" command after modifying this file to check for basic
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow Samba to use the useradd
# and groupadd family of binaries. Run the following command as the root user to
# turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------

[Magickman]

I too was having SELinux problems. Here is a solution: yum remove selinux* then reboot. Solves the problems for good.

[lklaus]

Which is not the "officially supported" solution :-)