Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Hardened SELinux: how to resolve denials?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Shiru
n00b
n00b


Joined: 20 Oct 2014
Posts: 63

PostPosted: Tue Aug 17, 2021 3:30 am    Post subject: Hardened SELinux: how to resolve denials? Reply with quote

Hello guys,

I read the documentation and tutorials on the Gentoo Wiki but still, it's really hard for me to understand the way to resolve avc denials.

First question:
Setting SELINUX variable to permissive gave me a lot of denials in dmesg. I thought, following the tutorials that setting SELinux for the first time should automatically avoid those denials. I was wrong but I wonder why i have tons of denials.

Second question:
Setting SELINUX variable to enforcingm i was unable to log in tty the first time, but now i can. My display manager (lightdm) cannot run. In tty, it says that it's already running (weird). I looked at dmesg and here are the denials related to xdm (lightdm).

Code:
[   33.408231] audit: type=1400 audit(1629168773.668:83): avc:  denied  { search } for  pid=2391 comm="lightdm" name=".cache" dev="sda4" ino=39321604 scontext=system_u:system_r:xdm_t tcontext=root:object_r:xdg_cache_t tclass=dir permissive=1
[   33.447963] audit: type=1107 audit(1629168773.708:84): pid=1426 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=ListSeats dest=org.freedesktop.login1 spid=2391 tpid=1455 scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:initrc_t tclass=dbus permissive=1
[   33.448257] audit: type=1107 audit(1629168773.708:85): pid=1426 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.2 spid=1455 tpid=2391 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:xdm_t tclass=dbus permissive=1
[  128.433353] audit: type=1400 audit(1629168868.693:241): avc:  denied  { net_admin } for  pid=2593 comm="lightdm" capability=12  scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=capability permissive=1


Even i can see those types of errors, i am still unable to resolve by myself. I don't want to give up on Hardened SELinux, so if someone can give its time to me, i would greatly appreciate it.

Shiru
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3875

PostPosted: Tue Aug 17, 2021 8:58 am    Post subject: Reply with quote

The reason this is happening is because selinux behaves and it should as the mean nanny.
There are three ways to manage selinux denials
1. use selinux booleans
Code:

getsebool -a
setsebool <-P> <boolean-name> <true|false>

2.Via changing fcontext
Code:

semanage fcontext -l
semeanage fcontext -a -t <context_type> <file|directory>
restorecon -R <file|directory>

semeange can also be used for ports.
Ports and fcontext are the most common usages of semanage
3.create policy modules to deal with denials
Code:

ausearch -m AVC  | audit2allow -a -M my_policy
semodule -i my_policy.pp

In fedora there is a wonderful package setroubleshoot-server that advices the user on the proper action to take to resolve denials.
Unfortunately this is not available in Gentoo.
Maybe by all means should.
If you plan to use DE just avoid selinux.Or set it permissive.
For headless server is okeyish.
_________________
:)
Back to top
View user's profile Send private message
Shiru
n00b
n00b


Joined: 20 Oct 2014
Posts: 63

PostPosted: Mon Aug 23, 2021 1:56 pm    Post subject: Reply with quote

Hey alamahant,

Thanks you for your reply and sorry to be late.
You are right: it is sound difficult with a desktop. Since i am really new to it, i will install an headless Gentoo on a VM. I really need to understand how SELinux works.

Thanks again for your information.

Shiru
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum