courage
n00b
Joined: 22 May 2007
Posts: 38
|
 Posted: Wed May 24, 2017 8:23 pm Post subject: [SOLVED] Can't change context label (SELinux) |
 |
|
Hello!
I have set up Hardened Gentoo with SELinux.
I basically used these guides:
https://wiki.gentoo.org/wiki/SELinux/Installation
https://wiki.gentoo.org/wiki/Hardened_Gentoo
(did it all on a fresh install, selecting a hardened profile at the begining)
After a while I noticed this:
| Code: | | [ 8.694689] audit: type=1400 audit(1495656549.961:13): avc: denied { unlink } for pid=3710 comm="quotacheck" name="aquota.user" dev="md124" ino=12 scontext=system_u:system_r:quota_t tcontext=system_u:object_r:default_t tclass=file permissive=1 |
(md124 is /home)
Of course aquota.user does not have the right context label.
But I can't seem to change the context label on any file or directory:
| Code: | semanage fcontext -a -t quota_db_t "/home/aquota.group"
Traceback (most recent call last):
File "/usr/lib/python-exec/python2.7/semanage", line 933, in <module>
do_parser()
File "/usr/lib/python-exec/python2.7/semanage", line 912, in do_parser
args.func(args)
File "/usr/lib/python-exec/python2.7/semanage", line 364, in handleFcontext
OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser)
File "/usr/lib64/python2.7/site-packages/seobject.py", line 1933, in add
self.__add(target, type, ftype, serange, seuser)
File "/usr/lib64/python2.7/site-packages/seobject.py", line 1929, in __add
self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
NameError: global name 'audit' is not defined |
Somehow I managed to get the right context label (this might have fixed it: https://support.plesk.com/hc/en-us/articles/115001143725-Disk-user-quota-is-disabled-after-system-reboot-due-to-SELinux )
But 'semanage fcontext -a -t var_t "/var/www"' gives the same error, so I can't change any context labels.
Now there was a problem with the SELinux instalation, that is why I switched to Python 2.7 because I remembered that long time ago SELinux was not working with Gentoo and newer Python.
I was not able to execute this: "semanage login -a -s staff_u john"
After switching to Python 2.7 I was able to execute it, but I think that could have caused much deeper problems, like now.
Any help is much appreciated!
[EDIT]
It seems that by default the SELinux profile does not set all needed USE flags.
I did not want to figure out which exactly but I have a hunch that this is required:
| Code: | (/etc/portage/package.use/audit)
sys-process/audit python |
But I did take the ugly way and added "audit" flag to /etc/portage/make.conf
After rebuilding all packages (emerge --update --changed-use --deep @world) that have this USE flag, setting context labels started working.
Maybe a bug?
Hope this will help someone else too!
[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu] |
|
Networking & Security
