1 |
I just finished putting a new test box after the old one finally gave up |
2 |
the ghost. Everything seems to be working okay, EXCEPT for selinux. To |
3 |
be safe, I started with selinux in permissive mode. And I'm glad I did |
4 |
because of all the errors showing up for things that had BETTER not show |
5 |
errors. Things like auth, sshd, etc... |
6 |
|
7 |
Here's a sample of the errors I'm seeing |
8 |
|
9 |
Apr 25 19:36:09 jupiter kernel: audit: type=1400 |
10 |
audit(1619400969.224:485): avc: denied { getattr } for pid=8100 |
11 |
comm="auth" path="/etc/mysql/mariadb.d" dev="vda1" ino=271985181 |
12 |
scontext=system_u:system_r:dovecot_auth_t |
13 |
tcontext=system_u:object_r:mysqld_etc_t tclass=dir permissive=1 |
14 |
Apr 25 19:36:09 jupiter kernel: audit: type=1400 |
15 |
audit(1619400969.224:486): avc: denied { search } for pid=8100 |
16 |
comm="auth" name="mysqld" dev="tmpfs" ino=160 |
17 |
scontext=system_u:system_r:dovecot_auth_t |
18 |
tcontext=system_u:object_r:mysqld_runtime_t tclass=dir permissive=1 |
19 |
Apr 25 19:36:09 jupiter kernel: audit: type=1400 |
20 |
audit(1619400969.224:487): avc: denied { write } for pid=8100 |
21 |
comm="auth" name="mysqld.sock" dev="tmpfs" ino=161 |
22 |
scontext=system_u:system_r:dovecot_auth_t |
23 |
tcontext=system_u:object_r:mysqld_runtime_t tclass=sock_file permissive=1 |
24 |
Apr 25 19:36:09 jupiter kernel: audit: type=1400 |
25 |
audit(1619400969.224:488): avc: denied { connectto } for pid=8100 |
26 |
comm="auth" path="/run/mysqld/mysqld.sock" |
27 |
scontext=system_u:system_r:dovecot_auth_t |
28 |
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 |
29 |
Apr 25 19:36:50 jupiter kernel: audit: type=1400 |
30 |
audit(1619401010.244:490): avc: denied { create } for pid=8172 |
31 |
comm="smbd" name="8172" scontext=system_u:system_r:smbd_t |
32 |
tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 |
33 |
Apr 25 19:36:50 jupiter kernel: audit: type=1400 |
34 |
audit(1619401010.244:491): avc: denied { read write open } for |
35 |
pid=8172 comm="smbd" path="/run/lock/samba/msg.lock/8172" dev="tmpfs" |
36 |
ino=669 scontext=system_u:system_r:smbd_t |
37 |
tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 |
38 |
Apr 25 19:36:50 jupiter kernel: audit: type=1400 |
39 |
audit(1619401010.244:492): avc: denied { lock } for pid=8172 |
40 |
comm="smbd" path="/run/lock/samba/msg.lock/8172" dev="tmpfs" ino=669 |
41 |
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t |
42 |
tclass=file permissive=1 |
43 |
Apr 25 19:36:50 jupiter kernel: audit: type=1400 |
44 |
audit(1619401010.444:493): avc: denied { unlink } for pid=8175 |
45 |
comm="smbd" name="8175" dev="tmpfs" ino=670 |
46 |
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t |
47 |
tclass=file permissive=1 |
48 |
Apr 25 19:38:35 jupiter kernel: audit: type=1400 |
49 |
audit(1619401115.314:494): avc: denied { connectto } for pid=4350 |
50 |
comm="apache2" path="/run/mysqld/mysqld.sock" |
51 |
scontext=system_u:system_r:httpd_t tcontext=system_u:system_r:initrc_t |
52 |
tclass=unix_stream_socket permissive=1 |
53 |
Apr 25 19:39:44 jupiter kernel: audit: type=1400 |
54 |
audit(1619401184.815:495): avc: denied { read } for pid=8450 |
55 |
comm="smbd" name="lock" dev="vda1" ino=492466 |
56 |
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t |
57 |
tclass=lnk_file permissive=1 |
58 |
Apr 25 19:42:00 jupiter kernel: audit: type=1400 |
59 |
audit(1619401320.875:496): avc: denied { write } for pid=8852 |
60 |
comm="lpqd" name="msg.lock" dev="tmpfs" ino=516 |
61 |
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t |
62 |
tclass=dir permissive=1 |
63 |
Apr 25 19:42:00 jupiter kernel: audit: type=1400 |
64 |
audit(1619401320.875:497): avc: denied { remove_name } for pid=8852 |
65 |
comm="lpqd" name="8852" dev="tmpfs" ino=697 |
66 |
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:var_lock_t |
67 |
tclass=dir permissive=1 |
68 |
Apr 25 19:42:00 jupiter kernel: audit: type=1400 |
69 |
audit(1619401320.875:498): avc: denied { sendto } for pid=5984 |
70 |
comm="lpqd" path="/var/lib/samba/private/msg.sock/5797" |
71 |
scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:initrc_t |
72 |
tclass=unix_dgram_socket permissive=1 |
73 |
Apr 25 19:42:00 jupiter kernel: audit: type=1400 |
74 |
audit(1619401320.875:499): avc: denied { sendto } for pid=5984 |
75 |
comm="lpqd" path="/var/lib/samba/private/msg.sock/5919" |
76 |
scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:winbind_t |
77 |
tclass=unix_dgram_socket permissive=1 |
78 |
Apr 25 19:42:12 jupiter kernel: audit: type=1400 |
79 |
audit(1619401332.945:500): avc: denied { add_name } for pid=8865 |
80 |
comm="smbd" name="8865" scontext=system_u:system_r:smbd_t |
81 |
tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 |
82 |
Apr 25 19:44:31 jupiter kernel: audit: type=1400 |
83 |
audit(1619401471.206:501): avc: denied { read } for pid=9056 |
84 |
comm="winbindd" name="lock" dev="vda1" ino=492466 |
85 |
scontext=system_u:system_r:winbind_t |
86 |
tcontext=system_u:object_r:var_lock_t tclass=lnk_file permissive=1 |
87 |
Apr 25 19:44:31 jupiter kernel: audit: type=1400 |
88 |
audit(1619401471.206:502): avc: denied { search } for pid=9056 |
89 |
comm="winbindd" name="lock" dev="tmpfs" ino=454 |
90 |
scontext=system_u:system_r:winbind_t |
91 |
tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 |
92 |
Apr 25 19:44:31 jupiter kernel: audit: type=1400 |
93 |
audit(1619401471.206:503): avc: denied { getattr } for pid=9056 |
94 |
comm="winbindd" path="/run/lock/samba" dev="tmpfs" ino=462 |
95 |
scontext=system_u:system_r:winbind_t |
96 |
tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 |
97 |
Apr 25 19:44:31 jupiter kernel: audit: type=1400 |
98 |
audit(1619401471.206:504): avc: denied { write } for pid=9056 |
99 |
comm="winbindd" name="msg.lock" dev="tmpfs" ino=516 |
100 |
scontext=system_u:system_r:winbind_t |
101 |
tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 |
102 |
Apr 25 19:44:31 jupiter kernel: audit: type=1400 |
103 |
audit(1619401471.206:505): avc: denied { add_name } for pid=9056 |
104 |
comm="winbindd" name="9056" scontext=system_u:system_r:winbind_t |
105 |
tcontext=system_u:object_r:var_lock_t tclass=dir permissive=1 |
106 |
Apr 25 19:44:31 jupiter kernel: audit: type=1400 |
107 |
audit(1619401471.206:506): avc: denied { create } for pid=9056 |
108 |
comm="winbindd" name="9056" scontext=system_u:system_r:winbind_t |
109 |
tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 |
110 |
Apr 25 19:44:31 jupiter kernel: audit: type=1400 |
111 |
audit(1619401471.206:507): avc: denied { read write open } for |
112 |
pid=9056 comm="winbindd" path="/run/lock/samba/msg.lock/9056" |
113 |
dev="tmpfs" ino=709 scontext=system_u:system_r:winbind_t |
114 |
tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 |
115 |
Apr 25 19:44:31 jupiter kernel: audit: type=1400 |
116 |
audit(1619401471.206:508): avc: denied { lock } for pid=9056 |
117 |
comm="winbindd" path="/run/lock/samba/msg.lock/9056" dev="tmpfs" ino=709 |
118 |
scontext=system_u:system_r:winbind_t |
119 |
tcontext=system_u:object_r:var_lock_t tclass=file permissive=1 |
120 |
Apr 25 20:00:11 jupiter kernel: audit: type=1400 |
121 |
audit(1619402411.709:509): avc: denied { search } for pid=10897 |
122 |
comm="sshd" name="root" dev="vda1" ino=996517 |
123 |
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:default_t |
124 |
tclass=dir permissive=1 |
125 |
Apr 25 20:00:11 jupiter kernel: audit: type=1400 |
126 |
audit(1619402411.709:510): avc: denied { read } for pid=10897 |
127 |
comm="sshd" name="authorized_keys" dev="vda1" ino=272988282 |
128 |
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:default_t |
129 |
tclass=file permissive=1 |
130 |
|
131 |
|
132 |
First thing I tried was restorecon. I did restorecon -r / to ensure that |
133 |
the entire directory tree was updated correctly. The errors above are |
134 |
AFTER restorecon. I am using the targeted policy right now. I figured |
135 |
it would work for the first tests and I could upgrade to strict later. |
136 |
But if I can't even get targeted to work correctly, then I'm really in |
137 |
trouble. |
138 |
|
139 |
Any tips? |
140 |
|
141 |
-- |
142 |
Dan Egli |
143 |
From my Test Server |