[gentoo-user] SELinux errors - gentoo-user - Gentoo Mailing List Archives

From:	Dan Egli <dan@×××××××××××.site>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] SELinux errors
Date:	Mon, 26 Apr 2021 02:08:10
Message-Id:	`f193c2c8-99c4-1fc8-8928-8c51ee9a6dc8@newideatest.site`

1

I just finished putting a new test box after the old one finally gave up 

2

the ghost. Everything seems to be working okay, EXCEPT for selinux. To 

3

be safe, I started with selinux in permissive mode. And I'm glad I did 

4

because of all the errors showing up for things that had BETTER not show 

5

errors. Things like auth,  sshd, etc...

6

7

Here's a sample of the errors I'm seeing

8

9

Apr 25 19:36:09 jupiter kernel: audit: type=1400 

10

audit(1619400969.224:485): avc:  denied  { getattr } for  pid=8100 

11

comm="auth" path="/etc/mysql/mariadb.d" dev="vda1" ino=271985181 

12

scontext=system_u:system_r:dovecot_auth_t 

13

tcontext=system_u:object_r:mysqld_etc_t tclass=dir permissive=1

14

Apr 25 19:36:09 jupiter kernel: audit: type=1400 

15

audit(1619400969.224:486): avc:  denied  { search } for  pid=8100 

16

comm="auth" name="mysqld" dev="tmpfs" ino=160 

17

scontext=system_u:system_r:dovecot_auth_t 

18

tcontext=system_u:object_r:mysqld_runtime_t tclass=dir permissive=1

19

Apr 25 19:36:09 jupiter kernel: audit: type=1400 

20

audit(1619400969.224:487): avc:  denied  { write } for  pid=8100 

21

comm="auth" name="mysqld.sock" dev="tmpfs" ino=161 

22

scontext=system_u:system_r:dovecot_auth_t 

23

tcontext=system_u:object_r:mysqld_runtime_t tclass=sock_file permissive=1

24

Apr 25 19:36:09 jupiter kernel: audit: type=1400 

25

audit(1619400969.224:488): avc:  denied  { connectto } for pid=8100 

26

comm="auth" path="/run/mysqld/mysqld.sock" 

27

scontext=system_u:system_r:dovecot_auth_t 

28

tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1

29

Apr 25 19:36:50 jupiter kernel: audit: type=1400 

30

audit(1619401010.244:490): avc:  denied  { create } for  pid=8172 

31

comm="smbd" name="8172" scontext=system_u:system_r:smbd_t 

32

tcontext=system_u:object_r:var_lock_t tclass=file permissive=1

33

Apr 25 19:36:50 jupiter kernel: audit: type=1400 

34

audit(1619401010.244:491): avc:  denied  { read write open } for 

35

pid=8172 comm="smbd" path="/run/lock/samba/msg.lock/8172" dev="tmpfs" 

36

ino=669 scontext=system_u:system_r:smbd_t 

37

tcontext=system_u:object_r:var_lock_t tclass=file permissive=1

38

Apr 25 19:36:50 jupiter kernel: audit: type=1400 

39

audit(1619401010.244:492): avc:  denied  { lock } for  pid=8172 

40

comm="smbd" path="/run/lock/samba/msg.lock/8172" dev="tmpfs" ino=669 

41

scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t 

42

tclass=file permissive=1

43

Apr 25 19:36:50 jupiter kernel: audit: type=1400 

44

audit(1619401010.444:493): avc:  denied  { unlink } for  pid=8175 

45

comm="smbd" name="8175" dev="tmpfs" ino=670 

46

scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t 

47

tclass=file permissive=1

48

Apr 25 19:38:35 jupiter kernel: audit: type=1400 

49

audit(1619401115.314:494): avc:  denied  { connectto } for pid=4350 

50

comm="apache2" path="/run/mysqld/mysqld.sock" 

51

scontext=system_u:system_r:httpd_t tcontext=system_u:system_r:initrc_t 

52

tclass=unix_stream_socket permissive=1

53

Apr 25 19:39:44 jupiter kernel: audit: type=1400 

54

audit(1619401184.815:495): avc:  denied  { read } for  pid=8450 

55

comm="smbd" name="lock" dev="vda1" ino=492466 

56

scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t 

57

tclass=lnk_file permissive=1

58

Apr 25 19:42:00 jupiter kernel: audit: type=1400 

59

audit(1619401320.875:496): avc:  denied  { write } for  pid=8852 

60

comm="lpqd" name="msg.lock" dev="tmpfs" ino=516 

61

scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t 

62

tclass=dir permissive=1

63

Apr 25 19:42:00 jupiter kernel: audit: type=1400 

64

audit(1619401320.875:497): avc:  denied  { remove_name } for pid=8852 

65

comm="lpqd" name="8852" dev="tmpfs" ino=697 

66

scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t 

67

tclass=dir permissive=1

68

Apr 25 19:42:00 jupiter kernel: audit: type=1400 

69

audit(1619401320.875:498): avc:  denied  { sendto } for  pid=5984 

70

comm="lpqd" path="/var/lib/samba/private/msg.sock/5797" 

71

scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:initrc_t 

72

tclass=unix_dgram_socket permissive=1

73

Apr 25 19:42:00 jupiter kernel: audit: type=1400 

74

audit(1619401320.875:499): avc:  denied  { sendto } for  pid=5984 

75

comm="lpqd" path="/var/lib/samba/private/msg.sock/5919" 

76

scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:winbind_t 

77

tclass=unix_dgram_socket permissive=1

78

Apr 25 19:42:12 jupiter kernel: audit: type=1400 

79

audit(1619401332.945:500): avc:  denied  { add_name } for pid=8865 

80

comm="smbd" name="8865" scontext=system_u:system_r:smbd_t 

81

tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1

82

Apr 25 19:44:31 jupiter kernel: audit: type=1400 

83

audit(1619401471.206:501): avc:  denied  { read } for  pid=9056 

84

comm="winbindd" name="lock" dev="vda1" ino=492466 

85

scontext=system_u:system_r:winbind_t 

86

tcontext=system_u:object_r:var_lock_t tclass=lnk_file permissive=1

87

Apr 25 19:44:31 jupiter kernel: audit: type=1400 

88

audit(1619401471.206:502): avc:  denied  { search } for  pid=9056 

89

comm="winbindd" name="lock" dev="tmpfs" ino=454 

90

scontext=system_u:system_r:winbind_t 

91

tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1

92

Apr 25 19:44:31 jupiter kernel: audit: type=1400 

93

audit(1619401471.206:503): avc:  denied  { getattr } for  pid=9056 

94

comm="winbindd" path="/run/lock/samba" dev="tmpfs" ino=462 

95

scontext=system_u:system_r:winbind_t 

96

tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1

97

Apr 25 19:44:31 jupiter kernel: audit: type=1400 

98

audit(1619401471.206:504): avc:  denied  { write } for  pid=9056 

99

comm="winbindd" name="msg.lock" dev="tmpfs" ino=516 

100

scontext=system_u:system_r:winbind_t 

101

tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1

102

Apr 25 19:44:31 jupiter kernel: audit: type=1400 

103

audit(1619401471.206:505): avc:  denied  { add_name } for pid=9056 

104

comm="winbindd" name="9056" scontext=system_u:system_r:winbind_t 

105

tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1

106

Apr 25 19:44:31 jupiter kernel: audit: type=1400 

107

audit(1619401471.206:506): avc:  denied  { create } for  pid=9056 

108

comm="winbindd" name="9056" scontext=system_u:system_r:winbind_t 

109

tcontext=system_u:object_r:var_lock_t tclass=file permissive=1

110

Apr 25 19:44:31 jupiter kernel: audit: type=1400 

111

audit(1619401471.206:507): avc:  denied  { read write open } for 

112

pid=9056 comm="winbindd" path="/run/lock/samba/msg.lock/9056" 

113

dev="tmpfs" ino=709 scontext=system_u:system_r:winbind_t 

114

tcontext=system_u:object_r:var_lock_t tclass=file permissive=1

115

Apr 25 19:44:31 jupiter kernel: audit: type=1400 

116

audit(1619401471.206:508): avc:  denied  { lock } for  pid=9056 

117

comm="winbindd" path="/run/lock/samba/msg.lock/9056" dev="tmpfs" ino=709 

118

scontext=system_u:system_r:winbind_t 

119

tcontext=system_u:object_r:var_lock_t tclass=file permissive=1

120

Apr 25 20:00:11 jupiter kernel: audit: type=1400 

121

audit(1619402411.709:509): avc:  denied  { search } for  pid=10897 

122

comm="sshd" name="root" dev="vda1" ino=996517 

123

scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:default_t 

124

tclass=dir permissive=1

125

Apr 25 20:00:11 jupiter kernel: audit: type=1400 

126

audit(1619402411.709:510): avc:  denied  { read } for  pid=10897 

127

comm="sshd" name="authorized_keys" dev="vda1" ino=272988282 

128

scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:default_t 

129

tclass=file permissive=1

130

131

132

First thing I tried was restorecon. I did restorecon -r / to ensure that 

133

the entire directory tree was updated correctly. The errors above are 

134

AFTER restorecon.  I am using the targeted policy right now. I figured 

135

it would work for the first tests and I could upgrade to strict later. 

136

But if I can't even get targeted to work correctly, then I'm really in 

137

trouble.

138

139

Any tips?

140

141

--

142

Dan Egli

143

 From my Test Server

1	I just finished putting a new test box after the old one finally gave up
2	the ghost. Everything seems to be working okay, EXCEPT for selinux. To
3	be safe, I started with selinux in permissive mode. And I'm glad I did
4	because of all the errors showing up for things that had BETTER not show
5	errors. Things like auth, sshd, etc...
6
7	Here's a sample of the errors I'm seeing
8
9	Apr 25 19:36:09 jupiter kernel: audit: type=1400
10	audit(1619400969.224:485): avc: denied { getattr } for pid=8100
11	comm="auth" path="/etc/mysql/mariadb.d" dev="vda1" ino=271985181
12	scontext=system_u:system_r:dovecot_auth_t
13	tcontext=system_u:object_r:mysqld_etc_t tclass=dir permissive=1
14	Apr 25 19:36:09 jupiter kernel: audit: type=1400
15	audit(1619400969.224:486): avc: denied { search } for pid=8100
16	comm="auth" name="mysqld" dev="tmpfs" ino=160
17	scontext=system_u:system_r:dovecot_auth_t
18	tcontext=system_u:object_r:mysqld_runtime_t tclass=dir permissive=1
19	Apr 25 19:36:09 jupiter kernel: audit: type=1400
20	audit(1619400969.224:487): avc: denied { write } for pid=8100
21	comm="auth" name="mysqld.sock" dev="tmpfs" ino=161
22	scontext=system_u:system_r:dovecot_auth_t
23	tcontext=system_u:object_r:mysqld_runtime_t tclass=sock_file permissive=1
24	Apr 25 19:36:09 jupiter kernel: audit: type=1400
25	audit(1619400969.224:488): avc: denied { connectto } for pid=8100
26	comm="auth" path="/run/mysqld/mysqld.sock"
27	scontext=system_u:system_r:dovecot_auth_t
28	tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1
29	Apr 25 19:36:50 jupiter kernel: audit: type=1400
30	audit(1619401010.244:490): avc: denied { create } for pid=8172
31	comm="smbd" name="8172" scontext=system_u:system_r:smbd_t
32	tcontext=system_u:object_r:var_lock_t tclass=file permissive=1
33	Apr 25 19:36:50 jupiter kernel: audit: type=1400
34	audit(1619401010.244:491): avc: denied { read write open } for
35	pid=8172 comm="smbd" path="/run/lock/samba/msg.lock/8172" dev="tmpfs"
36	ino=669 scontext=system_u:system_r:smbd_t
37	tcontext=system_u:object_r:var_lock_t tclass=file permissive=1
38	Apr 25 19:36:50 jupiter kernel: audit: type=1400
39	audit(1619401010.244:492): avc: denied { lock } for pid=8172
40	comm="smbd" path="/run/lock/samba/msg.lock/8172" dev="tmpfs" ino=669
41	scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t
42	tclass=file permissive=1
43	Apr 25 19:36:50 jupiter kernel: audit: type=1400
44	audit(1619401010.444:493): avc: denied { unlink } for pid=8175
45	comm="smbd" name="8175" dev="tmpfs" ino=670
46	scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t
47	tclass=file permissive=1
48	Apr 25 19:38:35 jupiter kernel: audit: type=1400
49	audit(1619401115.314:494): avc: denied { connectto } for pid=4350
50	comm="apache2" path="/run/mysqld/mysqld.sock"
51	scontext=system_u:system_r:httpd_t tcontext=system_u:system_r:initrc_t
52	tclass=unix_stream_socket permissive=1
53	Apr 25 19:39:44 jupiter kernel: audit: type=1400
54	audit(1619401184.815:495): avc: denied { read } for pid=8450
55	comm="smbd" name="lock" dev="vda1" ino=492466
56	scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t
57	tclass=lnk_file permissive=1
58	Apr 25 19:42:00 jupiter kernel: audit: type=1400
59	audit(1619401320.875:496): avc: denied { write } for pid=8852
60	comm="lpqd" name="msg.lock" dev="tmpfs" ino=516
61	scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t
62	tclass=dir permissive=1
63	Apr 25 19:42:00 jupiter kernel: audit: type=1400
64	audit(1619401320.875:497): avc: denied { remove_name } for pid=8852
65	comm="lpqd" name="8852" dev="tmpfs" ino=697
66	scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t
67	tclass=dir permissive=1
68	Apr 25 19:42:00 jupiter kernel: audit: type=1400
69	audit(1619401320.875:498): avc: denied { sendto } for pid=5984
70	comm="lpqd" path="/var/lib/samba/private/msg.sock/5797"
71	scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:initrc_t
72	tclass=unix_dgram_socket permissive=1
73	Apr 25 19:42:00 jupiter kernel: audit: type=1400
74	audit(1619401320.875:499): avc: denied { sendto } for pid=5984
75	comm="lpqd" path="/var/lib/samba/private/msg.sock/5919"
76	scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:winbind_t
77	tclass=unix_dgram_socket permissive=1
78	Apr 25 19:42:12 jupiter kernel: audit: type=1400
79	audit(1619401332.945:500): avc: denied { add_name } for pid=8865
80	comm="smbd" name="8865" scontext=system_u:system_r:smbd_t
81	tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1
82	Apr 25 19:44:31 jupiter kernel: audit: type=1400
83	audit(1619401471.206:501): avc: denied { read } for pid=9056
84	comm="winbindd" name="lock" dev="vda1" ino=492466
85	scontext=system_u:system_r:winbind_t
86	tcontext=system_u:object_r:var_lock_t tclass=lnk_file permissive=1
87	Apr 25 19:44:31 jupiter kernel: audit: type=1400
88	audit(1619401471.206:502): avc: denied { search } for pid=9056
89	comm="winbindd" name="lock" dev="tmpfs" ino=454
90	scontext=system_u:system_r:winbind_t
91	tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1
92	Apr 25 19:44:31 jupiter kernel: audit: type=1400
93	audit(1619401471.206:503): avc: denied { getattr } for pid=9056
94	comm="winbindd" path="/run/lock/samba" dev="tmpfs" ino=462
95	scontext=system_u:system_r:winbind_t
96	tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1
97	Apr 25 19:44:31 jupiter kernel: audit: type=1400
98	audit(1619401471.206:504): avc: denied { write } for pid=9056
99	comm="winbindd" name="msg.lock" dev="tmpfs" ino=516
100	scontext=system_u:system_r:winbind_t
101	tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1
102	Apr 25 19:44:31 jupiter kernel: audit: type=1400
103	audit(1619401471.206:505): avc: denied { add_name } for pid=9056
104	comm="winbindd" name="9056" scontext=system_u:system_r:winbind_t
105	tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1
106	Apr 25 19:44:31 jupiter kernel: audit: type=1400
107	audit(1619401471.206:506): avc: denied { create } for pid=9056
108	comm="winbindd" name="9056" scontext=system_u:system_r:winbind_t
109	tcontext=system_u:object_r:var_lock_t tclass=file permissive=1
110	Apr 25 19:44:31 jupiter kernel: audit: type=1400
111	audit(1619401471.206:507): avc: denied { read write open } for
112	pid=9056 comm="winbindd" path="/run/lock/samba/msg.lock/9056"
113	dev="tmpfs" ino=709 scontext=system_u:system_r:winbind_t
114	tcontext=system_u:object_r:var_lock_t tclass=file permissive=1
115	Apr 25 19:44:31 jupiter kernel: audit: type=1400
116	audit(1619401471.206:508): avc: denied { lock } for pid=9056
117	comm="winbindd" path="/run/lock/samba/msg.lock/9056" dev="tmpfs" ino=709
118	scontext=system_u:system_r:winbind_t
119	tcontext=system_u:object_r:var_lock_t tclass=file permissive=1
120	Apr 25 20:00:11 jupiter kernel: audit: type=1400
121	audit(1619402411.709:509): avc: denied { search } for pid=10897
122	comm="sshd" name="root" dev="vda1" ino=996517
123	scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:default_t
124	tclass=dir permissive=1
125	Apr 25 20:00:11 jupiter kernel: audit: type=1400
126	audit(1619402411.709:510): avc: denied { read } for pid=10897
127	comm="sshd" name="authorized_keys" dev="vda1" ino=272988282
128	scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:default_t
129	tclass=file permissive=1
130
131
132	First thing I tried was restorecon. I did restorecon -r / to ensure that
133	the entire directory tree was updated correctly. The errors above are
134	AFTER restorecon. I am using the targeted policy right now. I figured
135	it would work for the first tests and I could upgrade to strict later.
136	But if I can't even get targeted to work correctly, then I'm really in
137	trouble.
138
139	Any tips?
140
141	--
142	Dan Egli
143	From my Test Server

Gentoo Archives: gentoo-user