| View previous topic :: View next topic |
| Author |
Message |
niderecha
n00b
Joined: 10 Nov 2024
Posts: 13
|
 Posted: Sun Nov 10, 2024 11:31 pm Post subject: help with selinux on a fresh gentoo |
 |
|
Hi. I'm new to selinux, and I'm trying to make it work (enforcing, strict) on an empty and fresh gentoo with profile
| Code: | | [34] default/linux/amd64/23.0/no-multilib/hardened/selinux/systemd (stable) * |
and a minimal set of utilities. There are a few problems I don't understand, it starts with NetworkManager:
| Code: | Nov 10 23:14:26 gentoo systemd[1]: Starting Network Manager...
Nov 10 23:14:26 gentoo kernel: audit: type=1400 audit(1731280466.619:200): avc: denied { search } for pid=1249 comm="(kManager)" name="pressure" dev="proc" ino=4026532062 scontext=system_u:system_r:init_t tcontext=system_u:object_r:proc_psi_t tclass=dir permissive=0
Nov 10 23:14:26 gentoo NetworkManager[1249]: <info> [1731280466.6466] NetworkManager (version 1.46.0-r1) is starting... (after a restart, boot:b5e02538-4d3f-4629-b718-22043a4494f5)
Nov 10 23:14:26 gentoo NetworkManager[1249]: <info> [1731280466.6466] Read config: /etc/NetworkManager/NetworkManager.conf (lib: 31-mac-addr-change.conf)
Nov 10 23:14:26 gentoo NetworkManager[1249]: <info> [1731280466.6488] manager[0x55dd42195770]: monitoring kernel firmware directory '/lib/firmware'.
Nov 10 23:14:26 gentoo NetworkManager[1249]: <error> [1731280466.6488] session-monitor: failed to create systemd-logind monitor: -13
Nov 10 23:14:26 gentoo dbus-daemon[885]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.32' (uid=0 pid=1249 comm="/usr/sbin/NetworkManager --no-daemon" label="system_u:system_r:NetworkManager_t")
Nov 10 23:14:26 gentoo systemd[1]: Starting Hostname Service...
Nov 10 23:14:26 gentoo kernel: audit: type=1400 audit(1731280466.643:201): avc: denied { watch } for pid=1249 comm="NetworkManager" path="/run/systemd/seats" dev="tmpfs" ino=86 scontext=system_u:system_r:NetworkManager_t tcontext=system_u:object_r:systemd_sessions_runtime_t tclass=dir permissive=0
Nov 10 23:14:26 gentoo kernel: audit: type=1400 audit(1731280466.673:202): avc: denied { search } for pid=1255 comm="(ostnamed)" name="pressure" dev="proc" ino=4026532062 scontext=system_u:system_r:init_t tcontext=system_u:object_r:proc_psi_t tclass=dir permissive=0
Nov 10 23:14:26 gentoo (ostnamed)[1255]: systemd-hostnamed.service: Failed to set up mount namespacing: /proc: Permission denied
Nov 10 23:14:26 gentoo (ostnamed)[1255]: systemd-hostnamed.service: Failed at step NAMESPACE spawning /usr/lib/systemd/systemd-hostnamed: Permission denied
Nov 10 23:14:26 gentoo kernel: audit: type=1400 audit(1731280466.689:203): avc: denied { mounton } for pid=1255 comm="(ostnamed)" path="/run/systemd/mount-rootfs/proc" dev="zfs" ino=881 scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=0 |
What is the right thing to do about the very first error?
| Code: | | Nov 10 23:14:26 gentoo kernel: audit: type=1400 audit(1731280466.619:200): avc: denied { search } for pid=1249 comm="(kManager)" name="pressure" dev="proc" ino=4026532062 scontext=system_u:system_r:init_t tcontext=system_u:object_r:proc_psi_t tclass=dir permissive=0 |
|
|
| Back to top |
|
 |
nicop
Tux's lil' helper
Joined: 10 Apr 2014
Posts: 90
|
|
| Back to top |
|
|
niderecha
n00b
Joined: 10 Nov 2024
Posts: 13
|
| Posted: Mon Nov 11, 2024 9:09 am Post subject: |
|
|
Thanks. I've been following the wiki, but I still have to wrap my head around it.
This is not a desktop, it should be a server running a web server, php, database and not much else. I'm a bit confused because from the first error it looks like I need to give init_t more power, and this is messing with the base system which should already have sane defaults... |
|
| Back to top |
|
|
nicop
Tux's lil' helper
Joined: 10 Apr 2014
Posts: 90
|
| Posted: Mon Nov 11, 2024 10:50 pm Post subject: |
|
|
| niderecha wrote: | | the base system which should already have sane defaults... |
Sane defaults policies may have different meanings depending on the environments. So you'll have to set custom policies.
About your log :
- Some warnings do not necessarily block a program. search permission may in some cases be one of them.
Besides network-manager with its multiple hooks, may not be the best way to prevent warnings.
- You have a AVC message with unlabeled_t. SELinux is based on file label, so you have to clean up that before. I think something was wrong during your installation. Try to relabel : https://wiki.gentoo.org/wiki/SELinux/Installation#Relabel |
|
| Back to top |
|
|
niderecha
n00b
Joined: 10 Nov 2024
Posts: 13
|
| Posted: Thu Nov 14, 2024 8:32 pm Post subject: |
|
|
Thanks! I relabeled the system (although I thought I have done it before) and replaced networkmanager with systemd-networkd, hopefully it is simpler.
The first error messages are:
| Code: | Nov 14 19:55:29 gentoo kernel: audit: type=1400 audit(1731614129.280:3): avc: denied { setattr } for pid=1 comm="systemd" name="chr" dev="tmpfs" ino=11 scontext=system_u:system_r:init_t tcontext=system_u:object_r:init_runtime_t tclass=chr_file permissive=1
Nov 14 19:55:29 gentoo kernel: audit: type=1400 audit(1731614129.280:4): avc: denied { setattr } for pid=1 comm="systemd" name="blk" dev="tmpfs" ino=12 scontext=system_u:system_r:init_t tcontext=system_u:object_r:init_runtime_t tclass=blk_file permissive=1 |
Does it mean I'm doing something wrong? |
|
| Back to top |
|
|
|
Networking & Security
