Skip to main content
Unix & Linux

Questions tagged [selinux]

Ask Question

SELinux (Security-Enhanced Linux) is an implementation of a flexible role-based, mandatory access control (MAC) architecture on Linux through kernel modifications and user-tools. It is primarily used to confine system processes and users beyond the basic Discretionary Access Controls (DAC) mechanism or access-control list found on *nix systems.

603 questions
Newest Active Bountied Unanswered
0 votes
1 answer
18 views

Adding a fresh zfs sub-dataset pri_zp/Z1/Z99-future to pri_zp/Z1, and resuming recursive replication to sec_zp/Z1

I have set up and replicated the OpenZFS dataset pri_zp/Z1 (with pri_zp/Z1/Z00-initial) to sec_zp/Z1 using a zfs send -R. But then (months later) when I try to create (and replicate) a newer data set, ...
NevilleDNZ's user avatar
NevilleDNZ
  • 230
0 votes
0 answers
20 views

Selinux seems to be blocking but no denied message appearing in audit log

I have a script executed by a Java app with testmod_t context. This script does chage -M -1 user to set a user to no expiry. However, when SELinux is enforcing, the command does not seem to do ...
neffect's user avatar
neffect
  • 1
0 votes
0 answers
57 views

How do I create an SElinux policy to allow php-fpm to execute optipng?

I am running Wordpress in Rocky Linux 9 and need optipng for some image transformation tasks, but it is being blocked: SELinux is preventing /usr/sbin/php-fpm from execute access on the file optipng. ...
location's user avatar
location
  • 53
0 votes
0 answers
27 views

Android SELinux: start dnsmasq on startup

I have had this question on android.stackexchange.com for more than a month, but I just realised that my problem isn't related to Android as much as it is related to SELinux and Android security. I’m ...
ellat's user avatar
ellat
  • 37
1 vote
0 answers
26 views

Setting custom SELinux policy for a systemd service

In AlmaLinux9 I have a small ExectStart systemd service which runs a java process (Java Temurin 21). I am getting SELinux errors due to the service not having the execmem permission (already checked ...
Mateo Upegui Borja's user avatar
Mateo Upegui Borja
  • 11
1 vote
1 answer
31 views

Confined user (staff_u) can use sudo to transition to unconfined_r even though there is no sudoers entry that permits it

I've created a user that is mapped to the staff_u SELinux user: # semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u ...
Sam Morris's user avatar
Sam Morris
  • 1,050
0 votes
1 answer
69 views

geoclue redhat selinux annoyance

on a clean install of RHEL-8.9 from iso, with selinux in its default state of enforcing, geoclue shows up via sealert -a /var/log/audit/audit.log SELinux is preventing /usr/libexec/geoclue from search ...
ron's user avatar
ron
  • 7,264
1 vote
0 answers
31 views

SELINUX issue running systemctl from script invoked by rsyslogd

We have a constant issue where sssd is getting itself in failed state when an oom-killer event happens and kills a user's memory hog job. No idea why this happens as the oom-killer is not touching ...
raines's user avatar
raines
  • 314
0 votes
0 answers
63 views

Set SELinux labels in Docker build

I'm trying to produce a squashfs image with labeled files for SELinux. I'm building this using docker buildx. Both of the ideas I tried failed: setfattr and chcon do not work on SELinux-enforcing ...
Dmitry Sharshakov's user avatar
Dmitry Sharshakov
  • 101
0 votes
1 answer
70 views

Fine-tune selinux constraints on nginx without semanage?

I'm setting up nginx on a Rocky 8.9 server, and ran into SELinux problems trying to listen on ports other than 80 and 443. The recommended solutions across the internet all seem to recommend semanage,...
Wildcard's user avatar
Wildcard
  • 36.8k
1 vote
1 answer
38 views

How do I automatically set the target context for a .sock file to be **httpd_var_run_t** so that nginx can connect to and write to the socket?

The original file context for /run/unicorn.sock is tcontext=system_u:object_r:var_run_t:s0 How do I have the file context automatically be system_u:object_r:httpd_var_run_t:s0 when I start the socket ...
siralbert's user avatar
siralbert
  • 117
4 votes
1 answer
377 views

Can I use SELinux to add an extra layer of protection against 0-day VM escape exploits in KVM/QEMU?

My host is Fedora, and I want to add an extra layer of protection against 0day KVM/QEMU exploits that execute code on the host. For example there have been CVEs where if we run a specially crafted ...
OneAndOnly's user avatar
OneAndOnly
  • 167
0 votes
1 answer
92 views

Error when rebuilding SELinux policy after adding rule to type enforcement (.te) file

I am going through this guide which allows me to create a custom SELinux policy for an application and restrict unconfined access to the kernel system files. On Step 9, I need to add a rule to the ...
siralbert's user avatar
siralbert
  • 117
0 votes
1 answer
83 views

Recreate selinux .te file from loaded policy

I don't have the original .te file or .mod or .pp files for a custom pp I created from audit2allow -a output. The policy is currently running on the server and I would like to get the original te ...
Emanuele Buttice's user avatar
Emanuele Buttice
  • 1
0 votes
2 answers
73 views

how to modify the selinux labels of a file

In RHEL 8.9, in /etc/systemd/system/ I created a custom.service file, using vi as root. In doing so it has these labels by default as shown by ls -ldZ -rw-r--r--. 1 root root unconfined_u:object_r:...
ron's user avatar
ron
  • 7,264

15 30 50 per page
1
2 3 4 5
41