PDA

View Full Version : [SOLVED] SE Linux question



expat42451
24th July 2017, 05:27 AM
Fedora 25 latest updates (as of Jul24 0400GT) including 4.8.6-300.fc25.x86 64 on an Asus Tuf Z270 MB. The only other thing that has alarmed SE Linux to this point is Eset AV. After booting from the kernel install I got this

SELinux is preventing systemd-cgroups from read access on the shared memory Unknown.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that systemd-cgroups should be allowed read access on the Unknown shm by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-cgroups' --raw | audit2allow -M my-systemdcgroups
# semodule -X 300 -i my-systemdcgroups.pp

Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:system_r:unconfined_service_t:s0
Target Objects Unknown [ shm ]
Source systemd-cgroups
Source Path systemd-cgroups
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-225.18.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.8.6-300.fc25.x86_64
#1 SMP Tue Nov 1 12:36:38 UTC 2016 x86_64 x86_64
Alert Count 248
First Seen 2017-07-23 12:24:47 -05
Last Seen 2017-07-23 23:15:10 -05
Local ID 5a2a7c4f-ef45-444b-a77a-bce07e40695f

Raw Audit Messages
type=AVC msg=audit(1500869710.876:1017): avc: denied { read } for pid=6064 comm="systemd-cgroups" key=839152194 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=shm permissive=1


Hash: systemd-cgroups,init_t,unconfined_service_t,shm,read


and wondered if this is cause for alarm. I am new to Fedora, running 25 in a production environment and 26 on another drive on the same machine. I had to go to permissive mode to allow the Eset AV install and am under the impression that for the Eset Real time file protection system to operate I need to stay in permissive.

Any help or suggestions would be very much appreciated.

Regards and thanks to the forum members here for their expertise and help.

smr54
24th July 2017, 10:53 AM
SELinux can often be problematic, hence the frequent tutorials that start with "Disable SELinux," though that's bad practice.

You can usually get it to work with anything. https://wiki.centos.org/HowTos/SELinux gives a nice guide on using audit2allow to find the problem and fix it.

expat42451
25th July 2017, 01:26 AM
Hello smr54

Thanks very much for taking the time, and the courtesy in pointing me to this guide. I did not find it in my Duck Duck go search earlier.

Warmest Regards.

smr54
25th July 2017, 10:27 AM
Glad to help. :)