View Full Version : Default SELinux user mapping changed in F26?

Ge Zhang
2nd September 2017, 05:17 AM
In previous versions (e.g. F23 and F24), the default mapping between Linux users and SELinux users includes three lines:

# semanage login -l

Login Name SELinux User MLS/MCS Range Service

__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *

But in F26, the default mapping changed to (two lines):

# semanage login -l

Login Name SELinux User MLS/MCS Range Service

__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *

The system_u disappeared. I will appreciate if anyone can tell me whether it is an intentional change in F26 or it is a problem of my own installation.

Currently, I do have some F26 SELinux problems that I have not encountered before in previous Fedora versions (I do not know whether these problems have anything to do with this user mapping change). For example, I have to set SELinux to permissive mode to run Rstudio Server. There are many SELinux related permission issues:

One example error message in /var/log/messages:

# grep error /var/log/messages | tail -1
Sep 1 23:17:08 zzz rsession-xxxx[29432]: ERROR system error 13 (Permission denied) [path=/home/xxxx/.rstudio/sdb/s-3C48DD63/lock_file]; OCCURRED AT: void rstudio::core::FilePath::setLastWriteTime(time_t) const /root/rstudio/src/cpp/core/FilePath.cpp:570; LOGGED FROM: void rstudio::core::FilePath::setLastWriteTime(time_t) const /root/rstudio/src/cpp/core/FilePath.cpp:570

One example SELinux alert:

SELinux is preventing rserver from write access on the sock_file xxxx-d.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that rserver should be allowed write access on the xxxx-d sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'rserver' --raw | audit2allow -M my-rserver
# semodule -X 300 -i my-rserver.pp

Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:tmp_t:s0
Target Objects xxxx-d [ sock_file ]
Source rserver
Source Path rserver
Port <Unknown>
Host zzz
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-260.6.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name zzz
Platform Linux zzz 4.12.8-300.fc26.x86_64 #1 SMP Thu Aug
17 15:30:20 UTC 2017 x86_64 x86_64
Alert Count 1
First Seen 2017-09-02 00:02:25 EDT
Last Seen 2017-09-02 00:02:25 EDT
Local ID 4bccb1f7-6e9c-4a05-867f-3ab5ed90f1dc

Raw Audit Messages
type=AVC msg=audit(1504324945.114:2192): avc: denied { write } for pid=29387 comm="rserver" name="xxxx-d" dev="tmpfs" ino=578265 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=1

Hash: rserver,init_t,tmp_t,sock_file,write